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Preface 


This document was generated in support of NAS A contract NAS 1-18586, Design and Validation of Digital 
Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 3. Task 3 is associated 
with formal verification of embedded systems. 

The formal verification of a microprocessor involves demonstrating that a specification of the 
microprocessor is satisfied by its implementation. The specification is usually a formal description of the 
microprocessor's instructions. Any more concrete description of the microprocessor can suffice for the 
implementation, but it has become the practice for the implementation to represent the major electronic 
blocks that constitute the microprocessor (ALU, registers, latches, memory, etc), hence the name electronic 

block model. Although not necessarily routinely, a realization of the electronic block can be checked by 
simulation or other testing methods. 


A particular microprocessor of interest is Viper, designed by the Royal Signals and Radar Establishment, 
UK (RSRE) for critical applications. An initial successful proof of Viper (by Avra Cohn) was of its major 
state model. However, what was verified is considered to be too abstract for an implementation. A 
subsequent effort was undertaken by Cohn to verify Viper's electronic block model. Both of these efforts 
made use of the HOL (the Cambridge Higher Order Logic) theorem prover. This latter proof was not 
completed, mostly because it became too time consuming. 

Our view of the incomplete proof of Viper is that the jump in abstraction between the electronic block 
model and the specification is too great. By introducing intermediate levels between the two extreme 
models, the overall proof becomes one of establishing more but simpler proofs. Windley, in a recent U. C. 
Davis PhD thesis showed that the levels can be represented as interpreters, each of which models an 
abstraction of a microprocessor. For example, one of the levels is an interpreter for the execution of 
microinstructions. To further simplify the proof effort, Windley developed a theory of generic interpreters- 
a notation that is sufficiently powerful to represent a large class of inteipreters. The interpreter theory has 
been formalized using generic theories in HOL for use in specifying and verifying microprocessors. The 
generic interpreter theory formally defines an interpreter and generates a correctness theorem for the generic 
model stating what it means, in general, for an instance of the interpreter to be correctly implemented. 

To demonstrate the effectiveness of this theory on a real microprocessor instruction set, this report presents 
our results on applying the generic interpreter methodology to Viper. We redesigned Viper as a hierarchy of 
five interpreters, each of which is an instance of the generic interpreter. The top level specifies the Viper 
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instruction set, and the lowest is of the abstraction of the conventional electronic block model, but one that 
implements a microinstruction interpreter. 

In this report we discuss our design of the microcoded machine that realizes the Viper instruction set, and 
our verification of this machine. The design and most of the verification was carried out in 1 person-year 
by two Master's students with no previous background in formal methods. We also discuss features of the 
original Viper design that our verification effort does not consider. 

The NASA technical monitor for this work is Sally Johnson of the NASA Langley Research Center, 
Hampton, Virginia. 

The work was accomplished at Boeing Military Airplanes, Seattle, Washington, and the University of 
California, Davis, California. Personnel responsible for the work include. 
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T. M. Richardson, Program Manager 
G. C. Cohen, Principal Investigator 

University of California: 

Dr. K. Levitt, Chief Researcher 
Tejkumar Arora 
Tony Leung 
Sara Kalvala 

E. Thomas Schubert 
Dr. Philip Windley 
Mark Heckman 


IV 


TABLE OF CONTENTS 

Section Page 

1.0 INTRODUCTION j 

1.1 VIPER 3 

1.2 Abstraction g 

1.2.1 Hierarchical Decomposition 5 

1.2.2 Generic Interpreters g 

1.3 What we have accomplished vis-a-vis VIPER 7 

1.4 Notation and Conventions 9 

1.5 Chapter Summaries. 9 

2.0 RELATED MICROPROCESSOR VERIFICATION EFFORTS 11 

2.1 Tamarack 22 

2.2 FM8501 12 

2.3 VIPER 13 

2.4 SECD 15 

2.5 Comparison 25 

3.0 THE FIVE-LEVEL STRUCTURE OF OUR VIPER IMPLEMENTATION 17 

3.1 VIPER Instruction Level lg 

3.2 The Macro Level 29 

3.3 Micro Level 21 

3.4 Phase Level 22 

3.5 Electronic Block Level 23 

3.5.1 The Data Path 23 

3.5.2 The Control Unit 25 

4.0 PROOF METHODOLOGY 29 

4.1 Abstract operations 29 

4.2 Verification Using an Abstract Interpreter Model 32 

V 


4.3 Hierarchical proof 


33 


5.0 MACRO LEVEL SPECIFICATION AND PROOF OF MICRO LEVEL 

5.1 Instantiation of the interpreter 

5.2 Example specification 

5.3 Proof obligations and example proof ■ 

6.0 MICROCODE SPECIFICATION AND PROOF OF PHASE LEVEL ... 

6.1 Instantiating the generic interpreter 

6.2 Specification of microinstructions 

6.3 Proof obligations 

7.0 PHASE SPECIFICATION, BLOCK SPECIFICATION AND PROOF . 

7.1 Description of the phases 

7.2 Description of block level 

7.3 Proof of the Block level 

8.0 MACRO LEVEL CORRESPONDENCE TO RSRE SPECIFICATION . 

8.1 Introduction 

8.2 Methodology 

8.3 Defining the instructions 

8.4 Proof of S11LB 

8.5 Definition of the Decoder 

9.0 CONCLUSIONS 


37 

37 

40 

41 

43 

43 

43 

46 

47 
47 
52 
52 

57 

57 

57 

58 
61 
66 

67 


VI 


APPENDICES 

Appendix p age 

APPENDIX A: DESCRIPTION OF HOL 73 

APPENDIX B: INTERPRETER THEORY AND ABSTRACT FUNCTIONS 77 

APPENDIX C: VIPER LEVEL SPECIFICATION 89 

APPENDIX D: MACRO LEVEL SPECIFICATION Ill 

APPENDIX E: MICRO LEVEL SPECIFICATION 157 

APPENDIX F: MICROCODE 231 

APPENDIX G: SAMPLE MACRO TO MICRO LEVEL PROOF 237 

APPENDIX II: PHASE LEVEL SPECIFICATION 247 

APPENDIX I: ELECTRONIC BLOCK LEVEL 267 

APPENDIX J: INSTRUCTION DECODER 291 


VII 



Figure 


LIST OF FIGURES 


1.2- 1 A microprocessor specification can be decomposed hierarchically. 

3.1- 1 VIPER Instruction Format 

3.3- 1 Microinstruction sequence for SHLS 

3.5- 1 Electronic Block Model 

3.5- 2 Microinstruction Format 

4.1- 1 Abstract representation of operations 

4.1- 2 Using an abstract representation 

4.2- 1 Abstract representation of a processor 

4.2- 2 Specification of the interpreter 

4.2- 3 Implementation of the interpreter 

4.2- 4 Obligations of the interpreter model 

4.2- 5 Intermediate lemma in final proof 

4.2- 6 Correctness of the interpreter 

5.1- 1 Macro-level viewed as an interpreter 

5.1- 2 Macro-instruction list 

5.1- 3 State as viewed by macro-instructions 

5.1- 4 Obligation for macro-instructions 

5.2- 1 The write_reg function 

5.2- 2 Example macro-instruction 

5.3- 1 Function to generate goals 

5.3- 2 Proof of SHLB inst ruction 

6.1- 1 Micro level interpreter in terms of the generic interpreter 

6.2- 1 State as viewed by microinstructions 

6.2- 2 Example microcode 

6.3- 1 Correctness of microinstructions 

6.3- 2 Correctness of the micro level 


# • 

kz**. 


Page 


. 18 
. 22 
. 24 
. 25 
. 30 
31 

31 

32 

32 

33 

34 
34 

37 

38 

38 

39 

40 

40 

41 

42 
44 

44 

45 

45 

46 

IX 


PRECEDING PAGE BLANK NOT FILMED 



7.1-1 State manipulated by phase and EBM levels 


48 


7.1- 2 Description of first phase 

7.1- 3 Description of second phase 

7.1- 4 Third phase 

7.1- 5 Third phase, continuation 

7.2- 1 Register with enable input 

7.2- 2 Data path 

7.3- 1 Instantiating generic interpreter at phase level 

7.3- 2 Tactic for proving individual phases 

7.3- 3 Proof of correctness of phase level 

8.2- 1 VIPER’s NEXT function 

8.2- 2 Goal for the verification step 

8.4- 1 Goal for proof of SHLI1 

8.4- 2 Lemmas for cases of l)Sh 

8.4- 3 Tactics in proof of SHLB 

8.4- 4 Lemmas with properties of VIPER level 

8.4- 5 Error cases in VIPER specification 

8.4- 6Tactic used in proof of SII LB 


48 

49 

50 

51 

52 

53 

54 

54 

55 
59 
59 
61 
62 
62 
63 
65 
65 


X 


Table 


LIST OF TABLES 


2.5-1 Comparison of verified microprocessors 

3.2- 1 VIPER macroinstructions 

3.2- 2 Decoding operand fields 

A-l HOL Infix Opei ators 

A-2 HOL Binders 

A-3 HOL Type Opei *ators 


Page 

... 16 
... 20 
... 21 
... 74 
... 75 
.. 76 


XI 




1.0 INTRODUCTION 


Computers are being used with increasing frequency in areas where the correct implementation 
of the computer hardware is critical. These include: 

• Safety-critical applications where the computer is directly involved in the control of systems 
that protect human life. A flight control system on an aircraft or the control system in a 
nuclear power plant are examples of this type of application. 

• Security-critical applications where the computer is used to process information that is eco- 
nomically or politically sensitive. Many computers used in government or industry fall into 
this category to one degree or another. 

• Mass-produced consumer goods where the computer is an integral part of the product and 
a mistake in the design or implementation could result in product recalls costing enormous 
amounts of money. 

In these and other applications it is vital that the computer system be correct. 

There are two complementary approaches to computer correctness: fault tolerance and fault 
exclusion. The former, usually achieved through designs with redundant computing elements, is 
most useful in handling dynamic faults occurring during system operation, due to component failure 
or other unexpected events. The latter is a static process intended to remove errors in design and 
implementation before the computer system is in service. 

Testing is an example of a fault exclusion technique. Testing can be divided into two distinct 
kinds: implementational testing, which is used to verify that a physical device is fabricated correctly, 
and functional testing, which is used to verify that a design functions as the designer intended. 
Because it is impossible to exhaustively test a computer system, formal verification is an attractive 
alternative to functional testing. 

Formal verification requires at least two descriptions of a system: one of its implementation 
and one of its specification. Correctness is shown by demonstrating through mathematical proof 
that the former implies the latter. Although verification can be carried out using pencil and paper, 
the detail associated with the verification of realistic systems would overwhelm even the most 
patient human prover. Moreover, humans, being fallible, are likely to accept erroneous proofs as 
theorems. An alternative is the use of theorem proving programs. Such mechanical theorem provers 
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range from proof generators that attempt to create a proof with minimal human assistance to proof 
checkers that check a human-created proof. We used the HOL (Cambridge Higher Order Logic) 
theorem prover for our work. HOL’s style of proof is closer to that of a proof checker than a proof 
generator, but HOL can be programmed to also provide significant automation in the creation of 
proofs. 

Although through verification a computer system can, in principle, be demonstrated to contain 
no design errors, verification cannot in practice be guaranteed to achieve such a goal. First of all, 
the specification might not represent what the user wants of the system; in other words, the creation 
of the specification from informal requirements can introduce errors. Second, what is being verified, 
the implementation, is an abstraction of the physical device that comprises the microprocessor; the 
physical device might not correspond to the implementation, possibly due to errors introduced in 
the fabrication process. Third, verification, even with the assistance of mechanical theorem provers, 
is difficult and extremely human intensive; it might be impossible to complete the verification of 
complex systems. 

Verification methodology has held the promise of correct programs for many years. However, 
it has been mostly impractical for large programs. In recent years, there has been interest in 
microprocessor verification. Although large programs are beyond the capability of the current 
verification technology, the verification of commercial microprocessors should be realistic. Our 
justifications for being optimistic about microprocessor verification are as follows: 

• The specification for a microprocessor is not difficult to produce, largely expressing the func- 
tional behavior of each instruction. 

• The implementation for many microprocessors is conceptually straightforward, largely in- 
volving iterative structures (such as registers) and control logic to resolve the many different 
cases. The algorithms represented by the implementation, even for arithmetic, are usually 
extremely simple compared with those associated with programs. 

However, the detail involved in microprocessor proofs rapidly becomes staggering. This was 
the experience of Avra Cohn in attempting to verify the VIPER microprocessor. 
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1.1 VIPER 


VIPER was designed by RSRE (ref. 1) in the mid-1980’s. Not intended by its designers to 
push the envelope of microprocessor design, VIPER was designed to be simple and verifiable. For 
example, VIPER does not contain a stack or (user and privileged) modes, nor does it support 
interrupts. The first was excluded because it invites a programming practice that can lead to 
runtime errors, and the third because it was thought to be a feature difficult to verify. We have not 
seen comments on the second, but we conjecture that VIPER would not be used in any applications 
requiring multitasking. 

Of interest to us here, are the attempts to verify VIPER, in particular (ref. 2). The top-level 
specification defines the NEXT state as a function of the current state and the current instruction. 
The elements of the state are main memory, five registers, and a few status bits — abstracting away 
a large fraction of the state that comprises the implementation. The implementation, called the 
electronic block model is described in terms of logical blocks such as an ALU, registers, flip-flops, 
multiplexors, etc. Both the specification and the electronic block model were provided to Cohn 
by RSRE. The proof was to demonstrate that the electronic block model implies the specification; 
HOL was used in the proof process. 

Cohn’s work remains a significant contribution, having formalized the electronic block model 
in HOL and having developed a methodology and many lemmas that could be used to carry out the 
proof. However, the proof was not completed. As it progressed, it became clear that approximately 
1 person-week was required to prove the implementation of each of the 122 cases in the specification. 

The difficulty was due to a number of factors, including: 

a. RSRE’s specification is extremely unstructured; essentially it is almost totally non-orthogonal. 
Although not conceptually difficult, the specification is still long — three pages of HOL logic. 
The specification is quite a bit more unstructured than what one would expect of the instruc- 
tion set architecture for a computer with the instruction set power of VIPER. 

b. Although not particularly complicated as compared with state-of-the-art commercial micro- 
processors, the implementation is still quite long. It occupies approximately seven pages of 
HOL logic. If this were a program being verified, by all measures it would be of nontrivial 
length. 

c. Further elaborating on (b), the jump in abstraction between the specification and the elec- 
tronic block model is too large to be carried out in one step. 
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d. There is insufficient support in HOL for the kinds of low-level reasoning associated with words, 
bit strings, etc. 


It is item (c) that is of particular concern to us. In starting out on our work, we conjectured that 
through intermediate abstractions the proof effort required for VIPER could be simplified to the 
point where it would be realistic. It is still necessary to verify the lowest level of abstraction, defined 
in seven pages of HOL logic, ultimately with respect to the highest level of abstraction, occupying 
three pages of specification representing 128 cases. However, if the next to the lowest level of 
abstraction has fewer cases, the lowest level will be easier to verify. Similarly, if the next-to-highest 
level of abstraction is shorter, it will be relatively easy to verify with respect to the specification. 
The handcrafting of levels of abstractions is what is needed to simplify the verification of complex 
systems. In creating these abstractions, there will be tradeoffs among the number of cases, the size 
of the abstraction’s specifications, and the jump in data abstraction between adjacent abstractions. 

As discussed later, the specification of the electronic block model of our VIPER machine 
is simpler than that of Cohn’s, with respect to omitted details not pertinent to our proof. For 
example, we do not specify in detail the logic of the ALU; instead it is declared to perform one of 
32 unspecified functions. This incompleteness, of course, appears at all levels, including the top 
level. As noted by Brock and Hunt (ref. 3) with respect to a similar but less glaring weakness in 
the RSRE specifications of VIPER, the top-level specification does not permit proofs of programs 
that depend on the semantics of these operations to be carried out. However, the incompleteness 
in the electronic block model is not relevant to the main purpose of our verification effort: to verify 
that the sequence of actions at the electronic block model assure (among many other things) that 
the correct ALU control lines are asserted with respect to the instructions under execution. 

VIPER has many more features that make it suitable for use in safety-critical applications, 
but are not modeled at the top-level. These include input signals for resetting the machine, single- 
stepping it, forcing the machine into an error state and extending read/ write cycles. Output 
signals are also provided to indicate the state of the STOP and B flags, and whether the machine 
is currently fetching or executing an instruction. VIPER also incorporates a time-out facility in its 
interaction with the memory. 

Because these features are inconsequential to the top-level specification, however, they can 
safely be ignored in the block-level specification, i.e. the implementation. However, for the purpose 
of verification with respect to the top-level instructions, certain assumptions about the behavior 
of these signals must be made. For example, the reset signal is assumed to be false throughout 


4 


the execution of an instruction and the STOP flag is assumed to be false at the beginning of an 
instruction. In addition, a simple memory model in which memory responds in a fixed and known 

number of cycles is being assumed, although the design of VIPER supports more complex memory 
protocols. 


1.2 ABSTRACTION. 


Viewing a complex program as a hierarchy of abstractions is a well-known approach to sim- 
plifying the verification of such a system. Programming languages such as Ada provide syntactic 
units (i.e., modules) for defining abstractions; of course, it is the programmer’s responsibility to 
create modules that will simplify the design and, if it is relevant, the verification. 


To facilitate the use of abstraction in the design and verification of microprocessors, Wind- 
ley (ref. 4) formalized the concept of interpreters. 


1.2.1 HIERARCHICAL DECOMPOSITION. 

As mentioned above, verification requires at least two formal descriptions of the computer 
system: one behavioral, B, and one structural, S. Verification consists of showing through formal 
proof techniques that 


S => B 

One need not be limited, of course, to one level of abstraction. Supposing that Bj through 

B„ represent increasingly abstract specifications of the system’s behavior, one could verify its 
correctness by proving 

S => Bi =>...=> B n 

Figure 1.2-1 shows how this principle can be applied to the specification of a microprogrammed 

microprocessor. At the bottom of the hierarchy is the usual structural specification of the electronic 
block model. 
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Figure 1.2-1: A microprocessor specification can be decomposed hierarchically. 

This specification describes the computer’s implementation— for our purpose, the connections 
among its various components. At the top is the behavioral specification corresponding to the 
programmer’s model of the microprocessor. In between these are two additional abstraction levels: 
one for the microcode interpreter and one specifying the phase (or subcycle) behavior. Our \TPER 
design has two macro levels: the topmost is the RSRE specification and the next lower specifies an 
orthogonal instruction set containing 20 instructions. 


Hierarchical decomposition plays an important role in the methodology for verifying micropro- 
cessors. The use of a hierarchical decomposition can lead to significant reductions in the amount 
of effort used to structure and complete a correctness proof. 


1.2.2 GENERIC INTERPRETERS. 

With one exception, each of the levels in the specification hierarchy shown in Figure 1.2-1 
has the same structure. The bottom-level specification is a structural description, but the other 
specifications all share a common structure. Each of the abstract behavioral descriptions can be 
specified using an interpreter model. However, the level in our hierarchy that corresponds to the 
RSRE instruction set does not fit exactly our interpreter model. 
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Perhaps the most distinguishing feature of an interpreter is that it has a flat control structure. 
One of n instructions is chosen based on the current state. The chosen instruction operates on 
the state and the cycle begins anew. There are a large number of interesting computer systems 

that have a flat control structure: microprocessors, operating systems, language interpreters, and 
editors are a few. 

Since each of the behavioral descriptions in the specification hierarchy are similar, we would 

prefer to develop a general model of an interpreter and use this model in our specification rather 
than treating each level in the hierarchy separately. 

As we will demonstrate, a generic interpreter specification consists of a number of parts: 
abstract state, instructions, selectors for instructions, mapping to next lower state, description of 
implementation, etc. To verify the instantiation of a generic interpreter involves the verification of 
obligations, the most difficult of which is t hat each instruction is correctly implemented. 


1.3 WHAT WE HAVE ACCOMPLISHED VIS-A-VIS VIPER 

Our goal was to show that through the use of the generic interpreter methodology a micro- 
processor as complex as VIPER could be verified. Since VIPER was not designed as a hierarchy 
of interpreters, the IIS RE VIPER design could not be verified using this methodology. Hence, we 
designed a microprocessor that would realize the VIPER instruction set as specified by RSRE. The 
design is in terms of the five levels of abstraction, as follows: 

a. The top level is, with a few minor simplifications, the RSRE specification. In the RSRE 
specification, all functions (with the exception of a few arithmetic functions) are defined; in 
our specification some functions (such as the comparison of two words) are uninterpreted. 
As indicated previously, the exact meaning of functions used to define the instructions is 
not relevant to a proof that shows that the appropriate ALU signals are asserted for each 
instruction, and operands are fetched from and stored to the specified locations. 

b. The next level down is the macro level specification (the top level of figure 1.2-1), providing 
20 instructions. This level, as opposed to the RSRE specification, represents the VIPER 
instruction set in terms of comparatively few instructions with orthogonal fields. It is empha- 
sized that this level is equivalent in power to the RSRE specification, but of course having 
a different format the instructions of this level would not execute VIPER programs. It was 
necessary to demonstrate that this level realizes the RSRE specification at level (a). 


7 


c. The third level is the micro level, providing approximately 100 microinstructions. Each macro 
instruction is implemented as a linear (loop-free) sequence of a subset of the microinstructions. 
The microcode is in effect the data of this level. 

d. The next level down is the phase level, which implements each micro-instruction in a sequence 
of 3 phases 

e. The lowest level is the Electronic Bloch Model level, which consists of the control structure 
and datapaths to implement each of the phases. 

Our experience to date has convinced us that the generic methodology has simplified the 
proof effort by half, as compared with Cohn’s experience. Furthermore, the use of hierarchical 
abstractions has permitted us to divide up the proof. Most of the proof was accomplished by two 
Master’s students, each student verifying 2 levels. 

As Cohn has noted, it is important to clearly state what has been and what has not been 
verified. 

Our proof demonstrates that the Electronic Block Model we have designed implements the 
RSRE instruction set. It is important to note that the ALU is a component of the Electronic 
Block Model. But having just specifications for the ALU, and not an implementation, means that 
we are not verifying that the ALU, when stimulated with signals that are assumed to cause it 
to add two numbers, actually does carry out the add operation. Of course, we could carry out 
the verification down to the gate-level - -and verify the ALU, decoders, flip-flops, registers-and the 
other components taken as primitives of the Electronic Block Model. Such proofs are within current 
verification capabilities and in fact have been performed routinely by many verification teams. 

When all is said and done, our verification shows the following: For each instruction of the 
RSRE specifications, the Electronic Block Model causes the proper sequencing of actions to take 
place; the operands are fetched from the right place (registers or memory), the results are stored 
in the right place, and the right signals are asserted on the primitive functional units (such as the 
ALU). Since there are many ways the Electronic Block Model could sequence activities (most of 
them incorrect) what is verified is far from trivial. 
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1.4 NOTATION AND CONVENTIONS. 


Our notation will be that of standard logic with a few extensions: 

• Terms in the logic will be written in typewriter font. 

• Conjunction, disjunction, negation, implication, universal quantification, existential quantifi- 
cation, and lambda abstraction use the usual symbols: A, V, =>, V, 3, and A respectively. 

• We use a conditional operator that is written a — ► b | c, meaning “if a, then b, else c.” 

• Definitions will be denoted with a pre-pended dtf < 

• Terms that have been formally proven in the logic will be pre-pended with K 
Other notations and logical expressions will be explained as they are used. 


1.5 CHAPTER SUMMARIES. 

Chapter 2 compares VIPER to other microprocessors that have been verified. Our Macro level 
shows that VIPER can be viewed as a microprocessor with approximately 20 instructions — about 
the same as several other microprocessors that have been verified. However, VIPER’s imple- 
mentation complexity was reflected in the size of its microcode, i.e. approximately three times 
the complexity of other microprocessors considered for verification. The additional complexity is 
mostly due to error conditions. 

Chapter 3 presents our design for the VIPER microprocessor, with the discussion organized 
according to the five levels of interpreters identified. 

Chapter 4 reviews the hierarchical methodology employed in the verification. Excluding the 
top and bottom levels, each level in the hierarchy is a generic interpreter, which is instantiated to 
include the instructions supported by the interpreter, a unique key assigned to each instruction, 
the state space of the interpreter and its implementing interpreter, a mapping between these state 
spaces, and a description of the implementation. Once instantiated, an interpreter can be verified — 
showing that the implementation implies the specification for each instruction in the specification. 

Chapters 5, 6, 7, and 8 highlight the verification effort. We discuss the specifications for each 
of the five interpreters and present in detail the verification of the shift-left instruction through the 
five levels. 
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Chapter 9 presents our conclusions and recommendations for future work. Particularly rel- 
evant are the recommendations for providing additional automation in the HOL system and the 
need for faster theorem proving engines. Although VIPER is a significant challenge to the current 
verification technology, it is still a rather impoverished microprocessor. Of interest, then, is seal- 
ability of the verification we and others working on microprocessor verification are pursuing: the 
prospects for verifying designs that are more complex than VIPER by an order of magnitude. 

The 10 appendices include a brief description of the HOL logic (Appendix A) and the HOL 
listings of the five interpreters and the ML code that constitutes the verification. We have included 
the complete listings to allow the dedicated reader the opportunity to check our proof, to improve 
it through the use of better tactics, to extend the design with new features, or to translate the 
specifications into a different logic. 
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2.0 RELATED MICROPROCESSOR VERIFICATION EFFORTS 


There have been numerous efforts to verify microprocessors. Many of these have used the 
same implicit behavioral model. We will first describe this implicit model and then describe the 
microprocessor verifications that use it. 

In general, the model uses a state transition system to describe the microprocessor. The 
microprocessor specification has four important parts: 

a. A representation of the state, S. This representation varies depending on the verification 
system being used. 

b. A set of state transition functions, J, denoting the behavior of the individual instructions of 
the microprocessor. Each of these functions takes the state defined in step (a) as an argument 
and returns the state updated in some meaningful way. 

c. A selection function, N, that selects a function from the set J according to the current state. 

d. A predicate, I, relating the state at time t + I to the state at time t by means of J and N. 

In some cases, the individual state transition functions, J, and the selection function, N, are 
combined to form one large state transition function. Also, a functional specification would use a 
function for part (4) instead of a predicate. The specifications, however, are largely the same. 

After the microprocessor has been specified, we can verify that a machine description, M, 
implements it by showing 

Vs € S M(s) => I(s). 

That is, I has the same effect on the state, s, that M does. This theorem is typically shown by 
case analysis on the instructions in J by establishing the following lemma: 

Vj € J M(s) => (Vri time C{j } s,t) => s(t + n 3 ) = j(s(t))) 

where C is a predicate expressing the conditions for instruction j's selection, s(t) is the state at 
time T and n 3 is the number of cycles that it takes to execute j. This lemma says that if an 
instruction j is selected, then applying j to the current state yields the state that results by letting 
the implementing interpreter M run for iij cycles. VVe call this lemma the instruction correctness 
lemma. 

The remaining parts of this section describe microprocessor verifications where some variation 
of this general model was used. 
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2.1 TAMARACK 


Tamarack is a small microcoded microprocessor that has been verified by Jeffrey Joyce at the 
University of Cambridge. Joyce has verified Tamarack to the transistor level using HOL and has 
fabricated an 8-bit version of the design in CMOS. In addition to verifying the microprocessor, 
Joyce has also verified a compiler for Tamarack (ref. 5). 

Tamarack is a 16-bit computer with a 13-bit address space. The computer has 8 instructions: 
halt, jump, jump if zero, add , su btract , load , store, and skip (or no operation ) . The architecture has 
an accumulator and a program counter visible to the assembly language programmer in addition 
to the memory. The computer is implemented in microcode and has a single bus connecting each 
of the blocks in the electronic block model. The microstore is 32 microwords long. 

Tamarack is based on a computer designed and verified using the LCF-LSM system (a precursor 
to HOL) by Mike Gordon (ref. 6). Daniel Weise verified Gordon’s design using a Lisp-based system 
called Silica Pithecus (ref. 7) and Harry Barrow verified it using a system called VERIFY (ref. 8), 
making this the most widely verified microcomputer design. 

The specification and verification of Tamarack corresponds closely to the general model devel- 
oped at the beginning of this section. The macro-level specification denotes what each instruction 
does and ties the descriptions of each instruction together with a predicate stating the relation 
between the state at time t and time t + 1. 

The verification of Tamarack is enlightening since it has been performed many times with 
many different verification systems and using many levels ol abstraction. Tamaiack is, however, 
small, and research is underway to discover methods for scaling the Tamarack experience to larger 
microprocessors, including those with larger instruction sets and support for operating systems. 


2.2 FM8501. 

FM8501 is a microprocessor designed and verified by Warren Hunt using the Boyer-Moore 
theorem prover (ref. 9). The architecture has a register file containing eight, 16-bit registers, a 
64K-byte memory space, 26 instructions, and four memory addressing modes. FM8501 models 
memory as an asynchronous process. The implementation is microcoded and has a microstore of 
16 microwords. 
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The specification of FM8501 consists of two recursive functions: one for the behavioral spec- 
ification and one for the implementation. The functions recurse at each clock cycle, computing a 
new state. Time and the asynchronous inputs to the CPU are modeled by an oracle. The oracle 
is represented by a list; it is this list that the specifications recurse on. Time is represented by the 
current position of the recursive specification in the list. Each member of the list gives whatever 
asynchronous inputs may exist at that time. The proof shows the equivalence of the two recursive 
functions using an abstract (uninterpreted) oracle function. 

Crocker et al re- verified FM8501 using a specification written in ISPS in the SDVS verification 
system (ref. 10). The re-verification is significant because the work used no part of Hunt’s work 
directly and thus represents an independent verification of the design using a different verification 

system. 

On the surface, the verification of FM8501 appears quite different than the verification of 
Tamarack, but in fact, they are very similar. The methods of specification for the top-level can be 
seen as an instance of the general model presented at the beginning of this section. The verification, 
even though done on a functional specification in a first-order system, uses the a form of the 
instruction correctness lemma to show that the electronic block model implements the top-level 

specification. 


2.3 VIPER. 

VIPER was designed by Britain’s Royal Signals and Radar Establishment (RSRE) at Malvern 
to provide a formally verified microprocessor for use in safety-critical applications. VIPER s de- 
signer’s chose not to include a stack and interrupts— anticipating that they might lead to difficulties 
in the verification. The machine was designed to halt on errors and raise an external exception. 
The fabrication was carried out by two separate manufacturers and is commercially available. 

VIPER has a 20-bit program counter, a 32-bit general purpose accumulator, and two 32- 
bit index registers. VIPER has a single instruction format that allows the user to select a source 
register, one of four memory addressing modes, one of eight destinations, whether or not to compare, 
and one of sixteen ALU functions. In addition to the fields just mentioned, each instruction contains 
a 20-bit address. The VIPER design is described in detail in (ref. 1). The implementation is 
hardwired instead of being microcoded. 


13 



The combination of fields in the instruction format (excluding source and destination selections) 
yields 122 different instruction cases. Our analysis of the VIPER design (ref. 11) has characterized 
the VIPER instruction set using only 20 instructions. As we will see, this is an important distinction 
that bears on the difficulty of verifying VIPER, and motivated us to include a new macro level in 
our design. 

VIPER is the first microprocessor intended for commercial use where formal verification was 
attempted. Again, the verification was not completed. While VIPER is significantly simpler than 
today s general purpose microprocessors, its verification provides a benchmark on the state-of-the- 
art in microprocessor verification. 

The specification of VIPER attendant to previous proof efforts (by RSRE and others) is hier- 
archical, although the levels do not have theuniform structure of our specification. The top-level 
specification of VIPER developed by RSRE is similar in style to that of Tamarack (ref. 5). The next 
level of the specification is called the major-state machine and is a description of VIPER’s major 
states. The next level in the specification is the electronic block model. The top two levels were 
specified first in LCF-LSM and later in HOL. The electronic block model was specified in HOL. 
Below the electronic block model the circuit was described using a hardware description language 
called ELLA and verified by “intelligent exhaustive simulation” (ref. 12). 

A paper-and-pencil proof of correctness between the top-level of VIPER and the major-state 
machine was performed by RSRE. Because of the complexity of the lower-level (electronic block 
model to major state machine) proof, RSRE did not attempt a hand proof of this level. RSRE 
contracted with Avra Cohn at Cambridge University to formalize the top-level proof and perform 
the lower-level proof. Cohn describes her formal verification of the major-state machine with 
respect to the top-level specification in (ref. 13). 

Cohn decided to forego the proof of the top-level correspondence in trying to verify the elec- 
tronic block model since the major-state level specification and the electronic block model yielded 
dissimilar structures under cases analysis. Instead, she attempted to show a direct correspondence 
between the top-level and the electronic block model (ref. 14). Cohn’s proof of this level remains 
incomplete because of the large case explosion that occurred and the size of the proofs in each of 
the cases. This is not to say that the proof could not be completed. 

From Cohn’s experience with VIPER, it seems clear that abstraction is critical in dealing with 
the large case explosion that occurs in these kinds of proofs. The major-state machine did provide 
a level of abstraction between the top-level and the electronic block model, but it appears to be 
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the wrong one. In addition, Colin had almost no access to VIPER’s designers and thus had little or 

no help in deciphering and understanding the mostly informal specification of the electronic block 
model. 

2.4 SECD. 

Brian Graham et al at the University of Calgary have undertaken the implementation and 
verification of the SECD machine (ref. 15). The SECD machine is an abstract Lisp machine 
invented by Landin to reduce lambda expressions (ref. 16). The variant of SECD implemented 
by Graham is described in (ref. 17). Graham’s work is part of a larger effort at the University of 
Calgary to verify a complete system including a LispKit compiler as well as the SECD chip. 

The architecture has four registers, called S, E, C, and D. The S register holds a stack pointer, 
the E register holds a pointer to the environment, the C register functions as a program counter, 
and D points to a stack used to dump the state of the machine. There are approximately 20 
instructions and the implementation is microcoded. 

The remarkable thing about the SECD proof is that even though the architecture is specialized, 
the specifications and proofs are done in a manner very similar to the proofs of the more conventional 
architectures described in the last three sections. The behavioral model corresponds to the general 
model described at the beginning of this section. The top-level specification is based on state- 
transitions and the description of the electronic block model is a predicate-based circuit description 
similar to both (ref. 5) and (ref. 14). The garbage-collection mechanism is implemented in hardware, 
and the proof was done without taking it into account. Work is in progress on a second proof that 
verifies the garbage-collection hardware and a second implementation. 

2.5 COMPARISON. 

Table 2.5-1 summarizes the designs of the four microprocessors presented in this section. The 
table, like all such tabulations, cannot hope to capture all of the important characteristics of the 
microprocessors, but the data presented does provide some basis for judging relative complexities. 
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Tamarack 

FM8501 

VIPER 

SECD 

User Registers 

2 

8 

4 

4 

Instructions 

8 

26 

20 

21 

Microcoded 

yes 

yes 

no 

yes 

Microstore size 

32 words 

16 words 

N/A 

512 words 

Interrupts 

yes 

no 

no 

no 

Memory Model 

async 

async 

sync 

sync 

Word Width 

16-bit 

16-bit 

32- bit 

32-bit 

Memory Size 

8K 

64 K 

1M 

16I< 


Table 2.5-1: Comparison of verified microprocessors 



3.0 THE FIVE-LEVEL STRUCTURE OF OUR VIPER IMPLEMENTATION 

The proof of correctness of the VIPER microprocessor requires that the formal description 
of VIPER’s implementation (down to the Electronic Block Model - EBM) implies the formal 
description of VIPER’s high-level specification. Due to the complexity and expense of proving this 
directly, however, the original VIPER verification was never completed (ref. 18). 

In order to simplify the proof effort so that it could be accomplished in a reasonable time, we 
described the specification and implementation of VIPER in the form of a hierarchy of abstract 
interpreters, as described in Chapter 1. Instead of directly relating the high-level specification 
and implementation descriptions, the high-level specification can be related to an intermediate and 
less-abstract interpreter, which can be related to a lower-level interpreter, and so on down to the 
implementation. Each lower-level interpreter can be said to implement the interpreter above it in 
the hierarchy. Although the number of theorems that must be proved increases, the theorems are 
typically simpler, and the overall prool effoit is greatly i educed. 

The following sections describe the architecture of each of the hierarchical levels and summarize 
the proof strategy used to verily VIPER. The hierarchical decomposition approach uses five levels: 

a. VIPER instruction level-The RSRE specification. This is what the assembly-language pro- 
grammer sees. 

b. Macro Level-The high-level VIPER specification as an interpreter, it consists of 20 instruc- 
tions. 

c. Micro Level-The microcode level. Each high-level instruction is implemented by a series of 
microinstructions, which constitute the specification at this level. 

d. Phase Level — This level decomposes the interpretation of a single microinstruction into the 
parallel execution of a set of elementary operations. 

e. Electronic Block Level-The “implementation” level of the microprocessor, described in terms 
of blocks such as the registers and the ALU. 

The following paragraphs describe each level. 
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Figure 3.1-1: VIPER Instruction Format 

3.1 VIPER INSTRUCTION LEVEL 


VIPER’S high-level architecture consists of three general-purpose 32-bit registers (called A, 
X and Y), a 20-bit program counter (called P), and a single-bit boolean register (B) that holds 
the results of comparison instructions. The registers X and Y are normally referred to as “index 
registers” because they are most commonly used for address indexing, although they can also be 
used as general purpose registers. There is also a STOP flag that is not accessible to a programmer, 
but indicates an error condition in the machine. Any illegal operation, arithmetic overflow or 
computation of an illegal address causes the STOP flag to be set. 


A memory address is 20 bits, but the memory itself has 32-bit words. The address space is 
divided into a memory space and a peripheral space each addressed by 20 bits. The distinction 
between the two is made by an extra memory/I/O bit. Only the least significant 20 bits of the 
program counter are meaningful, and loading a T into any of the lop 12 bits will cause the machine 
to halt (viz., the STOP flag becomes true). 


An instruction woid is 32 bits long and consists of an operation code in the most significant 
12 bits plus a 20-bit address. The address field is also used as an offset or constant by some 
instructions. The opcode is further subdivided as shown in Figure 3.1-1. 

The opcode subfields are not orthogonal and are interdependent in an intricate way. Briefly, 
these fields have the following function: 

rf: A 2-bit source register selector for the computation (A,X,Y or P). 

mf: A 2-bit memory address control field that indicates the mode of fetching the operand from 
memory (literal addressing, content addressing or offset addressing (offset X or Y)). 

df: A 3-bit destination selector for an ALU computation (registers, memory space or I/O space). 
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c ^ : A 1-bit flag that indicates whether or not the instruction is a comparison. 

ff: A 4-bit function selector to indicate which comparison (if instruction is a comparison) or which 
computation is to be done by the ALU. 

The specifications for this level are given in Appendix C. 


3.2 THE MACRO LEVEL 

Although the 12 opcode bits allow 4096 possible instructions, many of the combinations have 
redundant subfields, or represent impossible conditions, so that there are only 122 unique possi- 
bilities. We have split the 122 cases into 20 instructions. The operations that are supported by 
these instructions fall into six categories: shifts, comparisons, arithmetic and logical operations, 
procedure calls, memory read/ writes and input/output instructions. The complete instruction set 
is listed in Table 3.2-1, with the meaning of the operand fields explained in Table 3.2-2. The HOL 
definitions for the entire macro-level are in Appendix D. 

The SHLS instruction is one of 20 instructions in our macro level. If the stop field is set, 
there is no state change. The new value for the program counter is computed by adding 1 to the 
current value. If the address is invalid, the stop field is set. Otherwise, the register to be shifted 
is determined, and the shift performed. Finally, the shifted result is written to the appropriate 
register and the overflow' bit is set if appropriate. 

The specification is described in more detail in Section 5.2. To verify that the macro-level 
realizes the VIPER instruction level it is necessary to map each of the 20 macroinstructions to the 
12 opcode bits of the VIPER level. A decoder function is introduced that maps the 12 opcode bits 
into a 5 bit instruction field (lor 20 instructions) and (nearly) orthogonal fields corresponding to 
source register select (2 bits), memory mode select (2 bits) and destination register select (2 bits). 
The comparison flag and function select fields of the VIPER instruction level are not needed at the 
macro level. 
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Mnemonic 

Operands 

Effect 

NOOP 

dreg, sreg 

No operation 

SHRS 

dreg, sreg 

dreg := sreg shifted right (copy sign bit) 

SHRB 

dreg, sreg 

dreg:= sreg shifted right through B 

SHLS 

dreg, sreg 

dreg := sreg shifted left; STOP := overflow 

SHLB 

dreg, sreg 

dreg := sreg shifted left through B 

hline COMPARE 

ff, sreg, rn 

compare sreg and m, depending on ff 

hline ADDB 

dreg, sreg, m 

dreg := sreg + m; B := carry 

ADDS 

dreg, sreg, m 

dreg := sreg + m; STOP := overflow 

SUBB 

dreg, sreg, in 

dreg := sreg - m; B := borrow 

SUBS 

dreg, sreg, in 

dreg := sreg - m; STOP := overflow 

NEG 

— — < 

dreg, m 

dreg := -m 

ANDM 

dreg, sreg, ill 

dreg := sreg AND m 

NOR 

dreg, sreg, m 

dreg sreg NOR m 

XOR 

dreg, sreg, ni 

dreg := sreg XOR m 

ANDMBAR 

dreg, sreg, in 

dreg := sreg AND m-complement 

CALL 

111 

Y := P; P := m 

WRITEMEM 

sreg, addr 

mem[addr] := sreg 

READMEM 

dreg, niem 

dreg m (from memory space) 

WRITEIO 

sreg, addr 

iofaddr] := sreg 

READIO 

dreg, mem 

dreg := m (from io space) 


Table 3.2-1: VIPER macromstruclions 
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X, Y, P) 

X, Y, P) 
stopped 

and if overflow occurs 


m = tail 

if 

mf =0 

(tail) 

if 

mf = 1 

(tail+X) 

if 

mf =2 

(tail+Y) 

if 

mf =3 

addr = tail 

if 

mf = 1 

tail+X 

if 

mf =2 

tail+Y 

if 

mf =3 


sreg = source register (one of A, 
dreg = destination register (one of A, 
STOP = flag which indicates machine has 
B = flag set by comparison operators 


# Table 3.2-2: Decoding operand fields 


3.3 MICRO LEVEL 

Our proof of VIPER is based on a micro-coded design in order to be able specify VIPER as a 
hierarchy of interpreters using the paradigm described in (ref. 4). As a result, we are able to take 
advantage of the proof simplification afforded by this method. 

Each macro level instruction is implemented by a series of microinstructions. The microcode 
execution traces for each macro instruction are presented in Appendix F. For example, the mi- 
croinstruction trace for the SHLS instruction is illustrated in Figure 3.3-1 

The microprogram that implements the SHLS instruction uses 10 of the approximately 100 
microinstructions supported by the micro level. Many instructions use the same microinstruc- 
tions, e.g., for fetching instructions, incrementing the program counter, etc. The microinstruction 
AXY.WRITE assures that the destination register is one of a, x, y. For this instruction, the 
destination cannot be the program counter. The microinstruction SHLS.ul performs the actual 
shift and the write to the destination register. 

A symbolic description of the VIPER microinstructions and the specification of the entire 
micro level are given in Appendix E. The microinstruction format is described in Section 3.5.2. 
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Cycle 

uCode 

uLoc 

Comment 

t 

fetch_ul 

0 

fetch macro instruction 

t + 1 

fetch_u2 

l 

increment pc 

t “}- 2 

fetch-u3 

2 

invalid address (> 20 bits)? 

t -f* 3 

fetch_u4 

3 

ir <— macro instruction 

t + 4 

jmp-reqm 

4 

require memory? 

t 4" 5 

jmp-opc 

5 

jump to noop+instruction number 

t 4" 6 

AXY.WRITE 

10 

destination must be register A, X or Y 

t + 7 

SHLS.ul 

11 

shls operation 

t $ 

NO.OVL 

12 

result must not overflow 

t + 9 

NOOP 

13 

jump to fetch next macro instruction 


Figure 3.3-1 : Microinstruction sequence for SHLS 


3.4 PHASE LEVEL 

The phase level, although it is the lowest level interpreter in the hierarchy, is more properly 
considered to be equivalent to the E15M level, rather than an abstraction of it. In particular, the 
phase and EBM levels share the same state and clock. Each phase in the system clock is associated 
with an instruction in the phase-level interpreter. The inputs to the phase-level interpreter consist 
of a bit-translation of the microinstructions defined for the micro level. In this way, the phase-level 
interpreter implements the micro-level interpreter. 

Each microcycle (the time it takes to complete a single microinstruction) is composed of three 
phase cycles. The specification for the phase level, in Appendix H, has a separate definition for 
each of the phase cycles. The events that occur during each phase are described in Section 3.5.2. 

The result at the first of three phases can be described in a simple way. At this level the 
state consists of a list of general-purpose registers (including a, x, y, p and others), registers 
to hold temporary results, the current instruction, data in and data out to memory (or I/O), 
the memory, b and stop bits, the memory address register and a result register for the ALU, the 
microprogram counter, the microinstruction register, the micro-ROM contents, 2 latches, and phase 
bits (to indicate the current and next phases). If the stop bit is set there is no state change, except 
to indicate there is no next phase. Otherwise, the contents ol the micro- ROM as defined by the 
microprogram are fetched and control proceeds to phase 2. The other phases are similar, but much 
more complex, due to the complexity of the steps performed. 


22 


3.5 ELECTRONIC BLOCK LEVEL 

The Electronic Block Model of VIPER used in the proof differs from the original RSRE design 
in several ways. Unlike the original design, the block model is microcoded to enable the use of 
the hierarchical decomposition proof method. The external interface is also different from that of 
the RSRE design in that it does not include certain input and output signals that have no effect 
with regard to the top-level specification. These signals were also ignored in Cohn’s proof effort 

(ref. 18). Our VIPER Electronic Block Model is shown in Figure 3.5-1 and the EBM specification 
is in Appendix I. 


3.5.1 THE DATA PATH 


The data path consists of the registers at the phase level in addition to a few others (M. ONE 
and INS) that are used as internal scratchpad registers. INS is the instruction register, M is a 
temporary register used in operand computation and ONE holds the numerical constant ‘1’. Each 
of the programmer-accessible registers can output its contents onto the internal bus labeled r and 
the other registers can output contents onto the m bus. The least-significant 20 bits of P and INS 

can also be output to the MAR input bus. These registers can be loaded with either the ALU result 
or the word fetched from memory (DIN). 


The m and the r buses feed into a 32-bit ALU that performs functions depending on the values 
of aluctl (the ALU control signal from each microinstruction), ff and the B flag. The overflow 
and result of an operation are fed into both the register block and the micro-sequencing logic unit, 
which sets the STOP flag when an invalid result is generated in some contexts. 




To communicate with memory, there is a 20-bit memory address regi„. cl 

can be loaded in parallel with an ALU operation. The MAR 


data registers DIN and DOUT. The MAR 

— ~~ — witn an /a. lj v operation . me HAI 
and DIN registers are loaded only if the r signal is set, and DOUT is loaded only if the w signal is set 


The instruction decoder unit takes in 12 bits of opcode from the INS register and the B flag, 
and sets the STOP flag if the opcode is illegal. Otherwise, it generates a condensed opcode. It 
also generates a signal reqm that denotes whether or not the instruction requires computation of 
an operand. This information is used by the microcode for branching purposes. 


The STOP flag is set by both the instruction decoder and the micro-sequencing logic units. 
This is due to the fact that the machine could halt for two reasons - illegal instruction format 
(static error cases) and illegal operations during instruction execution (dynamic error cases). More 
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dec_ctl 


adrs 


I die 
rf c 

injure J. 5-2: Microinstruction Format 
precisely, the static errors caught are: 

• Unused opcode. 

• A Call instruction without the P register as the destination. 

• P register as the destination for certain instructions. 

• A Write instruction without an address operand. 

while the dynamic errors that cause the machine to go to a stop state are: 

• Value of P register overflows 20 bits after incrementing. 

• The address after indexing overflows 20 bits. 

• Overflow on ADDS instruction. 

• Overflow on SI 1 PS instruction. 

• Overflow on SHLS instruction. 

• P register as the destination and value overflows 20 bits. 

3.5.2 THE CONTROL UNIT 

In this section, we will explain the part of the block model that generates signals for the Data 
Path section. 

Microinstruction Format A microinstruction is 31 bits long. Its format is as shown in Fig- 
ure 3.5-2. The interpretation of the microinstruction fields is given below. 
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maddr: address in the microcode, 7 hits 

seqctl: 3 control lines for the micro sequencing logic: 


(0 0 0) stay idle 

(0 0 1) if reqm=true then me := true; jaddr := maddr+mf[0..1] 

(0 1 0) me := true; jaddr := opc[0..4] + maddr 

(Oil) me := true; jaddr := maddr 

(10 0) if overflow=true then stop:=true 

(10 1) if (msb 12 bits of res has a 1) then stop true 

(1 1 0) if ((df[0..2]=3 or 4 or 5) V (msb 12 bits of res has a 1)) then stop := true 

(111) if (df[0..2]=4 or 6) then stop: = true 


aluctl: 4 control lines for the ALU, interpreted as: 


(0 0 0 0) 

res := m 

(0 0 0 1) 

res := r 

(0 0 10) 

B := COMPARER, r, m, b) 

(0 0 11) 

res := -m 

(0 10 0) 

res := r+m; B := carry 

(0 10 1) 

res : — r+m 

(0 1 1 0) 

res : = r-m; B := borrow 

(0 111) 

res := r-m 

(1 0 0 0) 

res := r XOR m 

(10 0 1) 

res := r AND m 

(10 10) 

res := r NOR rn 

(10 11) 

res := r AND NOT in 

(110 0) 

res := r > 1 , copy sign bit 

(1101) 

res := r » 1 , shift through B 

(1110) 

res := r « 1 , overflow := msb 

(1111) 

res := / <C 1 , shift through B 


dec.ctl: control line to disable/enable the stop output of the instruction decoder 
r: read signal 
w: write signal 

io: read/write from io (if true) or memory (if false) 

mdf: destination select for alu result (for intermediate operations required by the instruction); 3 
lines, decoded as: 
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(0 0 0) A 

(0 0 1) X 

(0 10) Y 


(Oil) P 
(10 0) P 
(101) P 
(110) M 
(1 1 1) A DDR 


mrf: source register select (for intermediate operations required by the instruction) 


(0 0) A 
(0 1) X 
(10) Y 

(1 1) P 


rfc: MUXR control line to decide which of rf/nirf is used to select source register 

dfc: MUXD control lino to decide which of df/indf is used to select destination of alu result 

de: data enable, to enable data from memory to be written into reg block 

re: res enable, to enable the ALU output to be written into reg block 

adrs: address select, to select one of P/ADDR as the address 

ds: data select, to select one of M/INS as destination of data from mem/io 

ms: m select, to select one of M/ONE/ ADDR to come out on the m bus 


Microinstruction Specification A symbolic description of the VIPER microcode and the spec- 
ification for the micro level are given in Appendix E. As an example, consider the microinstruction 
number 19: SHLS_u‘2, the microinstruction that carries out the shift-left operation once the registers 
have been determined. 

The state relevant to the microinstruction is that of the micro level, in particular the list of 
general purpose registers, the temporary (m), instruction, data input and data output registers, the 
memory, the overflow and stop bits, the memory address register, the (ALU) result register, the 
microprogram counter, and the reset bit. The RSF field determines the source field — the register 
whose contents are to be shifted. Assuming the stop bit is not set, the register determined by 
the DSF field receives the shifted contents of the source register, and the microprogram counter is 
incremented. All other state variables are unaffected. 
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Microinstruction Timing Each microcycle is composed of three phase cycles, and the net effect 
of a microinstruction is an accumulation of effects of the three phases in sequence. Briefly, the events 
during each of the phases are as follows: 

a. Load the next microinstruction to be executed into the microinstruction register MIR. 

b. Gate the register values into the MLATCH, RLATCH. Load MAR with P or ADDR if r (read signal) 
is true. Load DOUT if w (write signal) is true. Set the STOP flag if either of the two stop 
conditions is true. 

c. Load DIN with the value from memory if the read signal is true. Load the ALU result of data 
from memory into the register block. Load MPC with the address of the next microinstruction. 
Load RES and OVL with the ALU result and ALU overflow, respectively. 

Microinstruction Sequencing The address of the next microinstruction is either MPC + 1 or 
jaddr, which is computed by the micro-sequencing logic depending on all its inputs. The manner 
in which it is computed is given in the previous section as the explanation of the seqctl field of a 
microinstruction. 
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4.0 PROOF METHODOLOGY 


The basis of this verification is the use of a package in JIOL for abstract representation of func- 
tions and also a generic model for interpreters based on Windley’s thesis. These two methodologies 
provide a way to separate critical control aspects from implementation-level details of concrete data 
operations. Each of these applications of abstract representations is explained before describing 
details of the verification of our VIPER design. 


4.1 ABSTRACT OPERATIONS 

The primitive functions performed by the machine and used in the specification of higher-level 
actions are defined as abstract operations. The HOL specification of these operations is shown in 
Figure 4.1-1. In particular, one may note that the operations are typed using type variables instead 
of concrete types (i.e. *wordn instead of wordn). 

Abstract functions are packaged together into abstract representations , which makes such “def- 
initions possible. Each abstract function can only appear once in any one theory, and the abstract 
representation can be accessed through the name of any of the functions defined in it. The type 
rep_ty given in Figure 4.1-2 is populated by all instances of the abstract representation defined in 
Figure 4.1-1. Any one function in an abstract representation can be used to key into a particular 
set of functions; in this case the function opcode is defined in Figure 4.1-1 and is used as a key in 
Figure 4.1-2. The universally quantified variable rep represents all possible instantiations for the 
set of abstract functions. 1 lie abstraction structure then becomes a parameter for all the other 
specifications that depend on these functions. 

In oui woik, the (unctions ol this abstract structure are given no meaning other than that 
illustrated in Figure 4.1-1. For example, all we say about add is that it maps two *wordn’s into a 
*wordn. At all levels of the hierarchy add has only this meaning. Although not relevant to our proof, 
the exact meaning of add could bo specified and shown to be correctly realized by an implementation 
of the ALU. This definition of add is reflected up to the instruction-level specification, and then 
assembly language programs referring to add could be verified. 
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new.theory c aux_def ; 


let abs.rep = new_abstract_representation C 

V. ALU functions */, 

*/. negation 7. 

('neg', ":(*wordn -> *wordn) ) 

’/, addition without carry '/. 

(‘add', " : (*wordn # *wordn -> *wordn) ") 


•/. SHIFTER functions '/. 

*/. shift left through b */. 

( ( shlb ‘ , " : ( *wordn # bool -> *wordn) ) 

'/, Coercion functions '/. 

'/, numeric value of n-bit word /. 

( 1 val * " :(*wordn -> num) ") 


*/, Test functions /. . ,, 

*/. see if address is valid /, 

('valid address', ":(*wordn -> bool) ) 


'('decode*/'' : ((*opcode # bool) -> (bool # bt5 # bool)) ”) 


*/. Subranging functions '/. 

V, opcode portion of word /, 
('opcode', " : (*wordn -> *opcode) ") 


*/. Memory functions /. 

*/, fetch a word from memory /. 

('fetch', ":((*memory # ^address) -> *wordn) ) 


close.theory ( ) ; ; 


Figure 4 . 1-1: Abstract representation of operations 
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nev_parent * aux.def f ; ; 

let rep_ty = abstract_type ‘aux_def‘ ‘opcode*;; 

let load_ra = new_definit ion (' load_.ru ‘ , 

11 ! (rep: ~rep_ty) (a:*wordn) (x:*wordn) (y:*vordn) (p:*wordn) 
(ir:*wordn) (ram: *meraory) . 
load_m rep (a, x, y, p, ir, ram) = 


Figure 4.1-2: Using an abstract representation 


let cpu_abs = new_abstract_representat ion 

[ 

( 4 inst_list ‘ „ M : (*key#(*state->+env->*state) )list M ) ; 
( ‘key ‘ , " : *key->num M ) ; 

( ‘ select ‘ , M : *state->*env->*key l ‘ ) ; 

( ‘cycles ‘ , M : *key->num") ; 

( ‘ substate ‘ , " : Estate '->* state" ) ; 

( ‘ subenv ‘ ; *env ’->^env M ) ; 

( ‘Impl‘ , " : (time ' ->*state * )->(time ' ->*env • )->bool" ) ; 
( ‘ count ‘ , '^♦state'-^eRv’-^key'* 1 ) ; 

( ‘start ' , M : *key * ") 


Figure 4~-l: Abstract representation of a piocessor 


4.2 VERIFICATION USING AN ABSTRACT INTERPRETER MODEL 


The abstraction mechanism illustrated above is used not only to define the basic operations 
performed by the machine but also to model an “abstract” interpreter, or a general model for a 
processor that performs any given set of instructions. All the proofs of correctness of this abstract 
model of a processor are completed; thus all that is needed is to show that the specification and the 
implementation correspond to the same instantiation of the generic processor. These follow from 
the verification ol a small set ol proof obligations. 

I he components of an abstract interpreter are specified as shown in Figure 4.2-1. The complete 
specification is given in Appendix B. At any time, the pair (state, environment) selects a unique 
instruction to be executed next, through a given key . Each instruction provides a mapping from 
(state, environment) to state, d he implementation (IMPL) is described as a predicate characterizing 
the state and environment values associated with the lower (implementation) level. 

The abstraction specified by cpu_abs is used in the definition of two properties. INTERP, given 
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let I_rep_ty = abstract_type ‘gen_I‘ ‘key 1 ;; 

let INTERP.del = nev.def inition 
( * INTERP 1 

"i (rep : * I_rep_ty ) (s : time->*state) ( e : t ime->*env) . 
INTERP rep s e = 

! t : time . 

let n = (key rep (select rep (s t) (e t))) in ( 
s(t+l) = (SND (EL n (inst_list rep))) (s t) (e t)) M 

);; 


Figure 4-2-2: Specification of the interpreter 


let impl_imp_def = new.def init ion 
( , IMPL.IMP I , 

" ! inst : (*key#(*state->*env->*state) ) 
( s ’ : t ime * ->*state ' ) 

(e J : t ime * ->*env * ) . 


IMPL_IMP rep s J e* inst = 

( Impl (rep: ~I_rep_ty) s' e*) ==> 

( ! t : t ime * . 

let s = (\t. (substate rep (s' t))) m 

let e = (\t. (subenv rep (e J t))) in 

let c = (cycles rep (select rep (s t) (e t))) in ( 

(select rep (s t) (e t) = (FST inst)) /\ 

(count rep (s’ t) (e J t) = (start rep)) ==> 

((SND inst) (s t) (e t) = (s (t + c) ) ) A 

(count rep (s’ (t + c)) (e J (t + c)) - (start rep)))) 


Figure 4.2-3: Implementation of the interpreter 


in Figure 4.2-2, denotes the fact that the state at the next cycle (s (t + 1)) must be the same 
as that specified by the instruction (SND (EL n (inst.list rep))), where the instruction itself 
is chosen by some function of the state and environment (select rep (s t) (e t)). 

The other important property is represented by IMPL.IMP, shown in Figure 4.2-3. This function 
defines a function which, given the opcode of an instruction, asserts that if inst is the instruction 
currently selected, then after allowing the number of cycles necessary for the implementation to 
execute this instruction, the state is that specified by the instruction. 

These two properties represent the semantics of an interpreter, one dealing with the state 
function and the other dealing with the meaning of each instruction. One step in the verification 
of a processor is to show that, if all the instructions are implemented correctly, then the next-state 
function’s correctness follows. It is this step that is simplified by the use of the generic model. 
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new_theory_obligations 

EVERY (IMPL_IMP (rep : ~I_rep_ty ) (s * : time ' ->*state ’ ) (e ' : time >->*env 1 ) ) 
( inst_list rep) M 

"!k:*key. (key (rep: ~I_rep_ty ) k) < (LENGTH (inst_list rep)) M 
" !k : +key . k = (FST (EL (key (rep : ~I_rep_ty ) k) (inst_list rep))) M 

];; 


Figure .{.‘J-F Obligations of the interpreter model 

To obtain the proof of correctness of the interpreter, one must first fulfill the necessary theory 
obligations , displayed in Figure 4.2-4. 

The first of these theory obligations refers to a property to be maintained for each of the 
instructions. This property states that each instruction is implemented correctly. This is the most 
significant of the obligations as it is the most difficult to satisfy. The other two obligations relate to 
the ordering of the instructions, and to the fact that each opcode maps to a particular instruction. 

Once all the proof obligations are discharged, the rest of the proof is completed automatically, 
by using the above properties as lemmas. For example, Figure 4.2-5 shows how a simplified version 
of IMPL_IMP is used in proving an intermediate lemma; in the code shown in Figure 4.2-6 we may 
observe how this lemma is used in the final proof of correctness of the processor— that the property 
INTERP (see Figure 4.2-2) holds at all times. 

The use of the interpreter model thus becomes clear: the human verifier will ‘'only need to be 
concerned with the proof of each instruction and a few additional properties about the list structure 
of the instructions (the opcode); the interpreter model then combines all these proofs into a final 
proof of correctness for the processor. 


4.3 HIERARCHICAL PROOF 

Even when using the interpreter model to organize the proof effort, the verification of the 
RSRE VIPER micro- processor still involved a large number of cases to be verified, each of them 
quite complex. As explained previously, we have solved this problem by designing the architecture 
of the processor as a five-level hierarchy. 
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let IMPL_NEXTSTATE_LEMMA = TAC PROOF 

((□, 

"let s = (\t:time .(substate rep (s’ t))) and 
e = (\t:time .(subenv rep (e’ t))) in ( 

(Impl (rep: 'I_rep_ty) ) s’ e' ==> 

( ! t : time ' . 

(count rep (s' t) (e’ t) = (start rep)) ==> 

((substate rep (s' (t+(cycles rep (select rep (s t) (e t)))))) 
(SND (EL (key rep (select rep (s t) (e t))) 

(inst.list rep))) (s t) (e t))))"), 

EXPAND LET.TAC 
THEH REPEAT STRIP TAC 
THEN POP_ASSUM_LIST (\asl . 
let asl' = 

map (PURE_REWRITE_RULE [EVERY.EL ; IMPL IMP EXPANDED]) asl in 
MAP.EVERY ASSUME.TAC 
THEN 

THEN FIRST.ASSUM (ACCEPT.TAC o SYM.RULE) 

) i i 


Figure Intermediate lemma m final proof 


let IMPL_I_CORRECT = prove_thm 
( ‘ IMPL_I_CORRECT ‘ , 

"let s = (\t:time .(substate rep (s’ t))) and 
e = (\t:time .(subenv rep (e’ t))) in ( 

(Impl rep) s’ e’ /\ 

((count (rep: *I_rep_ty)) (s’ 0) (e’ 0) = (start rep)) ==> 

let 1 = time_shif t (\st env. (cycles rep (select rep st env))) s e in 

(INTERP rep) (s o f) (e o f))". 

EXPAND_LET_TAC 
THEN REPEAT GEN.TAC 

THEN PURE_REWRITE_TAC [INTERP DEF EXPANDED ;o DEF] 

THEN 

THEN IMP_RES_TAC IMPL_NEXTSTATE_LEMMA_EXPANDED 

) i > 


Figure 4.2-6: Correctness of the interpreter 
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The interpreter model is used for all the proof levels. For example, at one level we consider 
the instantiation of the interpreter where the instruction list consists of the macro-instructions and 
the implementation is given by the micro-code. At another level, there is the instantiation with the 
instruction set being the micro-instructions and the implementation consisting of the phase-level 
description of the architecture. 

The next sections describe proofs of the various levels in more detail. Each of these proofs con- 
sists of specifying the instruction set and the implementation, proving all the numerous lemmas — 
one for each instruction — that constitute the proof obligations, and then instantiating the proofs 
of correspondence for that level. 

Chapter 5 presents the specification of the macro level (the second from the top in our five level 
hierarchy) in more detail than given in Chapter 3, Proof obligations are generated that relate to 
showing that the macro specification is correctly realized by the micro-level specification (including 
the microcode). 

Chapter (i presents the specification of t he micro level arid the proof that it is correctly realized 
by the phase-level specification. 

Chapter 7 presents the specifications of the phase and electronic-block levels and proof of 
correspondence. 

Finally, Chapter 8 presents the proof of the macro level with respect to the RSRE specification. 
We left this proof for last, as the RSRE specification could not be conveniently captured in the 
generic interpreter theory. 


35 



5.0 MACRO LEVEL SPECIFICATION AND PROOF OF MICRO LEVEL 


5.1 INSTANTIATION OF THE INTERPRETER 

The macro-level view of VIPER is mapped to the interpreter model through the definition 
given in Figure 5.1-1. 

The first parameter of INTERP is the set of macroinstructions macro_inst_list. The machine 
is specified by the action of 20 instructions, listed in Figure 5.1-2. The instruction NOOP.M is repeated 
so as to fill the opcode space up to 32 instructions. Each of these instructions is defined according 
to its effect on the state of the micro-level machine, defined in Figure 5.1-3. In the macro level, 
the processor state consists of the four data registers a, x> y, and p, the (overloaded) overflow 
flag register b, the stop signal, and the memory. Each instruction is specified as a function from a 
state to anothei state. The effect of an instruction on the state also depends on the reset signal, 
which is set by external processes and, thus, is not a part of the state under consideration. 

Other parameters for instantiating the generic interpreter are: 


• Opcode and Opc.Val: functions to select the macro-level opcode from the macro state and to 
instantiate the key, i.e. to index into the instruction list. 

• MacroLe velCy cl es . a function that maps each instruction to the number of minor (i.e. micro) 
cycles necessary to complete the execution of the instructions; this number corresponds to 
the n urnbei of micro-iiist -ructions necessary to implement each macro-instruction. 

• Micro.state^to.Macro.state: a function that indicates which parts of the micro-level state 


let Macro_Int_def = nev_def inition 
( 4 Macro_Int_def * , 

M ! (rep : ~rep_ty) (s : t ime->“macro_state) ( e : t ime->“macro env) . 
Macro_Int rep s e = 

INTERP 

(macro_inst_list rep, 0pc_Val, Opcode rep, 
MacroLevelCycles , Micro. stat e_to_Macro_state rep , 

(I : ~micro_env->~macro_env) , Micro I rep, 

GetMPC , “FETCH. ADDR, £x:one.F) 
s 

e M 

);; 


ttgurc 5.1-1: Macro-level mewed as an interpreter 
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let macro_inst_list = new.def inition 
( ‘macro_inst_list ‘ , 

"! (rep : *rep_ty) . 
macro.inst.list rep = 

[ ((F,F,F,F,F) , ABS_ENV (NOOP.M rep)); 

( (F,F,F,F,T) .ABS.ENV (SHR rep)); 

((F,F,F,T,F) .ABS.ENV (SHRB rep)); 

((F,F,F,T,T) .ABS.ENV (SHLB rep)); 

((F,F,T,F,F) ,ABS_ENV (SHL rep)); 

((F,F,T,F,T) .ABS.ENV (CMP rep)); 

((F,F,T,T,F). ABS.ENV (WRITEM rep)); 

((F.F.T.T.T) .ABS.ENV (WRITEIO rep)); 

((F,T,F,F,F) ,ABS_ENV (NEC rep)); 

((F.T.F.F.T) .ABS.ENV (CALL rep)) ; 
((F,T,F,T,F) .ABS.ENV (READIO rep)); 

((F,T,F,T,T) .ABS.ENV (READM rep)); 

((F,T,T,F,F) .ABS.ENV (ADDB rep)); 

((F.T.T.F.T) ,ABS_ENV (ADDS rep)); 

((F,T,T,T,F) .ABS.ENV (SUBB rep)); 

((F,T,T,T,T) , ABS_ENV (SUBO rep)); 

((T,F,F,F,F) , ABS.ENV (XOR rep)); 

((T,F,F,F,T), ABS.ENV (AND rep)); 

((T,F,F,T,F) , ABS_ENV (NOR rep)); 

((T,F,F,T,T) ,ABS_ENV ( ANDMBAR rep)); 

((T.F.T.F.F) ,ABS_ENV (NOOP.M rep)); 


((T,T,T,T,F) .ABS.ENV (NOOP.M rep)); 
((T.T.T.T.T) , ABS.ENV (NOOP.M rep));]");; 


Figure 5.1-2: Macro-instruction list 


let macro_state = 

M : ( *wordn#*wordn#*wordn#* wordn#bool#bool#*memory ) M ; ; 
•/.a x y p b stop ram '/, 


let macro_env = ":(bool) M ;; 


I'hjuu Slati a* viewed by inacro-insli uchons 
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let Macro_Int_IMPL_IMPL_DEF = new_defi.niti.on 
( ‘Macro_Int_IMPL_IMPL_DEF‘ , 

“ ! (rep: ‘rep_ty) s' e' . 

Macro_Int_IHPL_IMP rep s’ e’ = 

IMPL.IHP 

(macro_inst_list rep, 

Opc_Val, Opcode rep, MacroLevelCycles , 

Micro_state_to_Macro_state rep, (I : ‘micro. env->*macro env) 
Micro_I rep, “ * 

GetHPC, *FETCH_ADDR , ®x:one.F) s’ e’" 

) * » 


I'ttjun Obligation for macro-instructions 

are visible at the micro-level. 

• I: the identity function, which signifies that the environment visible to the macro-level is 
identical to the one visible to the micro-level. 

e Micro.I: the implementation, which is the (micro level) interpreter which executes the mi- 
crocode, shown in Figure (i. 1-1. 

• GetMPC: a function that, selects the micro-program counter from the state— the variable at 
the micro level that holds the current microinstruction. 

• the start address: the opcode that signals the beginning of every micro-level execution. 

Comparing these parameters to the abstract parameters used in the specification of the abstract 

interpreter illustrated in Figure -1.2-1 provides an illustration of how the abstraction mechanism 
works. 

Once we have an instantiation of the generic interpreter, the next step is to satisfy the proof 
obligations, the heart of which is to prove that each macro-instruction is implemented correctly by 
the corresponding sequence of micro-instructions. In Figure 5.1-4 we can observe the instantiation of 
the function IMPL.IMP (see Figure 4.2-3) for this interpreter; note that even though the opcode does 
not appear in this instantiation, IMPL.IMP is a function that takes an extra numerical argument. 
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let write_reg = new.def inition( ' write_reg‘ , 

"! (rep: “rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:+wordn) (b:bool) 
(stop : bool) (ir : *wordn) (ram: *memory ) (value: *wordn) (newb:bool). 
write_reg rep (a, x, y, p, b, stop, ir, ram, value, newb) - 
let dsf Value = (DSF rep ir) in 

( (dsf Value = (F,F,F) ) => (value, x, y, p, newb, stop, ram) I 

( (dsf Value = (F,F,T) ) => (a, value, y, p, newb, stop, ram) I 

( (dsf Value = (F,T,F) ) => (a, x, value, p, newb, stop, ram) I 

(a, x, y, p, b, T, ram))))");; 


Figure 5.2-1: The write_reg function 


let SHLB = new_def inition( 'SHLB ' , 

"! (rep:*rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) 

(b:bool) (stopibool) (ram: *memory) . 

SHLB rep (a, x, y, p, b, stop, ram) = 

(stop => (a, x, y, p, b, stop, ram) I 
(let newp = (add rep (p, wordn rep 1)) in 
( ("valid_address rep newp) => 

(a, x, y, newp, b, T, ram) I 
(let ir = (fetch rep (ram, address rep p)) in 
let ldr = (load_r rep (a, x, y, newp, ir)) in 
let result = (shlb rep (ldr, b) ) in 
let newb = (bitn rep ldr) in 

write.reg rep (a, x, y, newp, b, F, ir, ram, result, newb) 

))))");; 


Fii/un 5.2-2: Example macro-instruction 

5.2 EXAMPLE SPECIFICATION 

The macro-instructions are specified in terms ol auxiliary inactions, one of which is shown in 
Figure 5.2-1. The write.reg function defines which destination register is selected based on the 

DSF field. 

The machine instruction for "shift left using the b register” is specified as shown in Figure 5.2- 
2. Given a particular state, the definition characterizes the state after the instruction is executed. 
The machine can already be in a stop state, in which case it will continue to be in that state. It 
will reach a stop state if the address of the next instruction (obtained by incrementing the program 
counter) is illegal. In all other cases, the machine will compute the result of applying the shlb 
abstract function to the contents oi ldr, storing the result in the appropriate register and storing 
the bit shifted out into the b register. 
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let MK_INST_CORRECT_GQAL n = 
let inst = term.list.el n 
(snd(dest.eq( 

snd(dest_f orall (concl- macro. inst .list )) ) )) in 
H ! (rep: "rep.ty) (regs : time->(*wordn)list ) 

(m ins din dout : time->*wordn) (ram: time- > ♦memory) 

(b stop ovl : t ime->bool) (mar : t ime->*address ) 

(res : time->*wordn) (mpc : time->bt7) (reset e : t ime->bool) 
(REG.LIST.LENGTH rep /\ 

DECODE.M. CORRECTLY. IMP rep) ==> 

(Macro_Int.IMPL.IMP rep 

(\t. (reg t ,m t , ins t,din t,dout t, ram t,b t,stop t, 
ovl t, mar t, res t, mpc t)) 

(\t. reset.e t) "inst)";; 


Figure 5.3-1: Function to generate goals 

5.3 PROOF OBLIGATIONS AND EXAMPLE PROOF 

In this section we describe the theorem that, when proved, asserts that the machine instruc- 
tions are correctly implemented by the micro-code, and show how this theorem is proved. The 
proof consists primarily in showing that each of the 20 macro-instructions is implemented by its 
microprogram. The* microcode appears in Appendix F. 

An action to be lepeated many times is the generation of goals: one for every macroinstruc- 
tion. The goals are generated using the function given in Figure 5.3-1, repeatedly for each of the 
maci oinst r uctions. ( 1 lie argument for the Junction is the opcode; thus the function is iterated for 
all values from 0 to 19.) 

The proof of the SIILB instruction is sketched in Figure 5.3-2. The opcode for SHLB is 3. The 
tactic FETCH. INST.TAC ‘‘simplifies' the goal by evaluating the results of fetching the instruction. 
Once the instruction is fetched and decoded, two cases arise: if the write to the destination register 
results in an exception condition then the machine stops; if not then the operation terminates 
successfully. 

The proof may appear to be simple, but each of the tactics applied is very long and involved. 
FETCH. INST. TAC generalizes many steps needed in the proof: 

• it specializes Macro. Int.IMPL. IMP. LEMMA to the appropriate macro-instruction, 

• creates and proves the subgoal that the instruction has been decoded correctly, 

• considers the number of cycles necessary for finishing each instruction, 

• considers the ca.se in which the machine is already in a stop state, 
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set_goal( MK_INST_CORRECT_GOAL 3 );; 


expand ( FETCH_INST_TAC 3 

THEN REWRITE.TAC [vrite.reg.expanded ; load_r_expanded] 

THEN SHIFT_SYMB.EXEC1.TAC 

THENL 

[ SHIFT_BAD_DEST_TAC 
; SHIFT_G00D_DEST_TAC1 

THEN SHIFT G00D_DEST_TAC2 

] 

);; 


Figure 5.3-2: Proof of SHLB instruction 

• or goes into stop state due to an addressing exception. 

The subgoal that remains is to prove the specific sequence ol micro-instructions for the given 
instruction. 

All the symbolic execution steps also involve manipulating the time aspects, and controlling the 
number of assumptions generated by resolution and rewriting tactics. These steps involve several 
layers of tactics, all of which are applied on each of the twenty goals (one for each instruction). 

The proof for the other (19) instructions is similar to that of Figure 5.3-2. Each proof involves 
the tactic FETCH. INST.TAC ami REWRITE.TAC, but tactics that deal with symbolic execution of 
the microcode and disposition ol normal and error cases are a function of the instruction class in 
question. Thus, there are specialized tactics for addition, reading and writing memory, I/O, etc. 
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6.0 MICROCODE SPECIFICATION AND PROOF OF PHASE LEVEL 


6.1 INSTANTIATING THE GENERIC INTERPRETER 


The micro level ol VIP Eli is also an instance of the generic interpreter, with the instruction 
list consisting of the microinstructions and the implementation being represented by the phase-level 
representation. The instantiation is given in Figure 6.1-1. It is useful to compare this instantiation 
with the one illustrated in Figure 5,1-1. The arguments of both are analogous. 


6.2 SPECIFICATION OF MICROINSTRUCTIONS 


The microinstructions operate on a more detailed state than the macro-instructions, as shown 
in Figure 6.2-1. Here, the four registers visible to the macro-instructions are modeled as a list of 
registers instead of a tuple. The other registers are: a temporary register m, the instruction register 
ir, and two memory data registers (for datain and dataout). Two boolean types represent the 
values of the b flag and and stop signal, while the other one is the internal overflow signal. The 
memory address register is o( type ^address. The (temporary) value returned from the ALU is 
stored in the res register. The value of the microprogram counter is of type bt7. The reset signal 
is also visible. 


The sequence of microinstructions needed to implement the SHLB macroinstruction is given 
in Appendix I: the first five cycles are used to fetch the macro-instruction, an optional memory 
fetch is performed (using up to seven additional cycles) and then four microinstructions specific to 
SHLB are executed. 


One of the four microinstructions (SHLB_u2) called in the execution of SHLB is specified in 
Figure 6.2-2. This microinstruction, with opcode of 21, stores the value obtained by a left shift 
into the appropriate register, assuming the stop bit is not set. 
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let Micro_I_def = nev_del inition 
( *Micro_I_def r , 

M i (rep: ~rep_ty) (s : time->~micro_state) (e : time->~micro_env) . 
Micro_I rep s e = 

INTERP 

(micro_inst_list rep, 
bt7_val , 

(GetMPC: ~micro_state -> ~micro_env -> bt7), 
(PhaseCycles :bt7->num) , 

(Phase_Substate:~Phase_state -> ~micro_state) , 

(I : ~Phase_env ->~micro_env) , 

Phase.I rep, 

(GetPhaseClock: “Phase.state -> ~Phase_env -> triple), 
PhaseClockBegin, Ox: one. F) s e" 

);; 


let Micro I IMPL_IMPL_DEF = nev_def inition 
( ‘Micro_I_IMPL_IMPLJ)EF 4 , 

(rep: ~rep_ty ) ( s : time->~Phase_state) (e : t ime-> ~Phase_env ) . 
Micro I_IMPL_IMP rep s e = 

IMPL.IMP 

(micro^inst^list rep, 
bt7_val , 

(GetMPC : ~raicro_state -> ~micro_env -> bt7), 
(PhaseCycles : bt7->num) , 

(Phase_Substat e : ~Phase_state -> ~micro_state) , 
(I:*Phase_env ->~micro_env) , 

Phase.I rep, 

(GetPhaseClock : ~Phase_state -> ~Phase_env -> triple), 
PhaseClockBegin, Ox:one.F) s e M 

);; 


Figure 6.1-1: Micro level interpreter in terms of the generic interpreter 


let micro.state = 

" : ( ( (*wordn)list)#*wordn#*wordn#*wordn#*wordn#*memory 
y ( a, x, y, p m ins din dou't ram !4 

#bool#bool#bool#*address#*wordn#bt7 ) " ; ; 

•/ # b stop ovl mar res mpe 7* 

let raicro.env = M :(bool) M ;; 


Future 6.2-1: Slatt as viewed by microinstructions 
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let SHLB_u2 = new.def inition 
( * SHLB_u2 1 , 

" ! (rep: ~rep_ty) (regs : (*wordn) list ) (m ins din dout:*wordn) (ram: *memory) 
(b stop ovl:bool) (mar ; *address ) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

SHLB_u2 rep (regs ,m, ins ,din,dout ,ram,b, stop, ovl, mar, res, mpc) (reset) = 
let sval = shlb rep ((EL (bt2_val(RSF rep ins)) regs), b) in 
stop => (regs, m, ins, din, dout ,ram, b ,T , ovl ,mar, res, ~FETCH_addr) | 

(update_reg regs (DSF rep ins) sval, m, ins, din, dout , ram, 
bitn rep (EL (bt2_val(RSF rep ins)) regs), F, F, mar, sval, 
add_bt7 rape 1)" 

);; 


Figure 6.2-2: Example microcode 


let PROVE_IMPL_IMP_LEMMA n = ( 
TAC.PROOF ( ( [] , 

MK_IMPL_IMP_GOAL n) , 
IMPL_IMP_TAC n) ) ; ; 


let MK_IMPL_IMP_GOAL n = 

let inst = term_list_el n 
(snd(dest_eq( 

snd(dest_f orall(concl raicro_inst_list ) ) ) ) ) in 
" ! (rep: ~rep_ty) (regs : t ime-> ( *wordn) list ) 

(mreg insreg din dout : t ime->*wordn) (ram : time->*memory) 

(b stop ovl : t ime->bool ) (mar : t ime->*address ) (res : time->*wordn) 
(mpc:time->bt7) (mir : t ime->ucode) (rlatch mlatch : time->*vordn) 

(phi ph2 ph3 : time->bool) (reset : time->bool) . 

(!t. 

(stop t ==> “phi t /\ “ph2 t /\ “ph3 t) /\ 

(phi t = “stop t /\ “ph2 t /\ “ph3 t) /\ 

(ph2 t = “stop t /\ “phi t /\ “ph3 t) /\ 

(ph3 t = “stop t /\ “phi t /\ “ph2 t)) ==> 

Micro_I_IMPL_IMP rep 

(\t. (regs t, mreg t, insreg t, din t, dout t, ram t, 

b t, stop t, ovl t, mar t, res t, mpc t, mir t, micro.rom, 
rlatch t, mlatch t, phi t, ph2 t, ph3 t)) 

(\t . (reset t ) ) “inst" ; ; 


let IMPL_IMP_TAC n = 

let inst = term_list_el n 
(snd(dest_eq( 

snd(dest_f orall (concl micro_inst_list ) ) ) ) ) in 
let thm = el (n+1) instructions in 
let f ind_Phase_I_term tm = ( 
let ((x,y),z) = ((dest.corab # I) 

(dest_comb tm)) in 

(x = "Phase_I (rep: “rep_ty) M ) ) ? false in ( 

REPEAT STRIP.TAC 

THEN SUBST.TAC [SPEC inst Micro IMPL IMP LEMMA] 

THEN ~ 

) ;; 


Figure 6.3-1: Correctness of microinstructions 
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let theorem_list = 

instant iate_abs tract .theorems 
‘gen_I‘ 

[Micro I CORRECT.LEMMA; 

Micro_I_LENGTH_LEMMA ; 

Micro_I_ORDER_LEMMA] 

[ 

("rep: "I.rep.ty", 

"(micro_inst_list (rep: ‘rep.ty) , 
bt7_val , 

GetMPC : “micro. state->“micro_env-‘>bt7 , 
Phase.Substate : “phase_state->*micro. state , 

(I : " phase. env->“micro_env) , 

Phase. I rep, 

GetPhaseClock : ~phase_state->~phase_env->triple , 
PhaseClockBegin : triple , <Cx : one . F) " ) ; 

("e ' : time 9 ->*env * , 

"(\t:time. (reset t):bool) H ); 

("s’ : time->* state * " , 

•*(\t. ( regs t, mreg t, insreg t, din t, dout t, ram t, 
b t, stop t, ovl t, mar t, res t, mpc t, 
mir t , urom, rlatch t, mlatch t, phi t, 
ph2 t, ph3 t )): time->“phase. state**) 

] 

1 MICRO * ; ; 

let correct. lemma = snd(hd theorem.list ) ; ; 


let PHASE IMPL MICRO.LEMMA = save.thm 
( * PHASE.IMPL.MICRO.LEMMA ' , 

BETA. RULE ( 

EXP AND.LET. RULE ( , , 

ONCE. REWRITE. RULE [Phase.Substate ; I.THM ; GetPhaseClock ; PhaseClockBegin] ( 

betaIrule ( n 

ONCE REWRITE RULE [SYM.RULE Micro.I.def] correct.lemma) ) ) ) 

);; 


Figure 6. .1-2: Correctness of the micro level 

6.3 PROOF OBLIGATIONS 


As in the proof of the macro level, the correct implementation of each of the microinstructions 
must be proved. Here the number oi lemmas needed is even larger than for the macro level 128 
cases, correspondi ng to the 128 microinstructions — however all of them are appreciably simpler. 
The process is repeated for each of the opcodes, as shown in Figure 6.3-1. 

A single tactic (IMPL.IMP.TAC), when instantiated with the microinstruction number, suffices 
to prove each of the 128 cases. 

Once the proof obligations are met, the correctness lemma follows automatically. The proof, 
where the lemmas and instantiations are used to obtain the final theorem of correctness for this 
lemma, is shown in Figure 6.3-2. 
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7.0 PHASE SPECIFICATION, BLOCK SPECIFICATION AND PROOF 


7.1 DESCRIPTION OF THE PHASES 


Both the phase description and the block model manipulate the same state variables, given in 
Figure 7.1-L Note the correspondence between this view and the structure represented in 3.5-1. 
Also note the variables introduced here (mir, urom, rlatch, etc.) not required in the micro-level 
specification. 

The actions specified bv each of the microinstructions are executed in three phases, each of 
which affect different subsets of the state variables. In the first phase the value of the microinstruc- 
tion register is set by fetching the appropriate microinstruction from the inicro-rom, as indicated by 
the value in the micro-program counter. This can be observed in the specification of phase_one_def 
given in Figure 7.1-2. 


In the second phase, the micro-instruction is decoded. If the microinstruction calls for a ‘read’ 
or a ‘write’ operation the (source or destination) address is fetched into the mar. In the case of 
a ‘write’ the value to be written out is placed in dout. New values are also obtained for the two 
inputs for the ALU: rlatch and mlatch. The 1 1 0 L definition for the second phase is given in 
Figure 7.1-3. 

The destinations and other addresses are also checked for exceptions: in cases where any of 
the micro-operations are invalid, the stop signal is set and the processor does not execute the third 
phase; in other cases the machine is ready to run the third phase. 

In the third phase the result computed by the ALU is stored in the appropriate register, and 
the address of the next microinstruction is computed and loaded into mpc, as shown in figures 7.1-4 
and 7.1-5. The changes made during this phase are to the registers, the m register, the instruction 
register, the datain latch (in the case of a "read’ instruction), the memory in the case of a ‘write’, 
the flag b, the overflow indicator, the result from ALU, the rape, and several others. 

The three phases together, then, indicate the steps needed to execute a micro-instruction. 
Each of the 128 instructions takes three phases. 
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let Phase state = 


" : (♦wordn)list # 

'/• regs /• 

(♦wordn # 

*/• mreg */, 

(♦wordn # 

V, insreg /. 

(♦wordn # 

*/, din '/, 

(♦wordn # 

*/, dout y« 

(♦memory # 

/. ram /. 

(bool # 

/• b /» 

(bool # 

y, stop y. 

(bool # 

y. ovi y. 

(♦address # 

'/. mar /♦ 

(♦wordn # 

y, res y* 

(bt7 # 

y. mpc y. 

(ucode # 

'/, mir y. 

((num -> ucode) # 

y, urom y, 

(♦wordn # 

y, rlatch X 

(♦wordn # 

•/* mlatch % 

(bool # 

•/, phase 1 '/, 

(bool # bool)))))))))))))))))”; ; 

'/, phase2, phase3 '/* 

let Phase.env = M :bool";; 



Figure 7.1-1: Shite manipulated by phase and SUM levels 


let phase_one_def = new_def init ion 
( f phase_one_def 1 , 

M | (rep: ~rep_ty ) (regs : (♦wordn)list ) (mreg insreg din dout : *wordn) 
(ram: ♦memory ) (b stop ovlrbool) (mar : ♦address) (res:*wordn) 
(rapc:bt7) (miriucode) (urom:num->ucode) (rlatch mlatch: ♦wordn) 

(phi ph2 ph3 : bool) (reset : bool) . 

phase_one rep (regs, mreg, insreg, din, dout, ram, b, stop, ovl, 
mar, res, mpc , mir, urom, rlatch, mlatch, phi, ph2, 
ph3) (reset) = 

stop => (regs, mreg, insreg, din, dout, ram, b, T, ovl, mar, res, 
(F,F,F,F,F,F,F) , mir, urom, rlatch, mlatch, F, F, F) I 
(regs, mreg, insreg, din, dout, ram, b, F, ovl, mar, res, 
mpc, urom (bt7_val mpc), urom, rlatch, mlatch, F, T, F) 

);; 


Figure 7.1-2: Description of first phase 
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let 

( 


phase_two_def - new_ def init ion 

‘phase two.def ‘ , . , \ 

••! (rep: ‘rep.ty) (regs: (*wordn)list) (mreg insreg din dout:*wordn) 

(ram: *memory) (b stop ovlibool) (mar : *address) (res:*wordn) 

(mpc :bt7) (mir :ucode) (urom:num->ucode) (rlatch mlatch: *wordn; 

(phi ph2 ph3 : bool) (reset : bool) . 

phase.two rep (regs, mreg, insreg, din dout, ram, b, stop ovi, 
mar, res, mpc, mir, urom, rlatch, mlatch, phi, ph2, 

ph3) (reset) = 

(regs, mreg, insreg, din , 

% new dout 7. . ^ x 

(W mir => EL (bt2_val(Rlc mir => (Mrf mir) 
v | RSF rep insreg)) regs 

| dout) , 

ram,b, 

*/. new stop 7. . u 

( (FST(decode rep(opcode rep insreg, b)) /\ (Dec_ctl mir); 

\/ ( (Seqctl mir - (F,F,T)) , \\\\ - (v P T T 

/\ ( ( (FST(SND(decode rep(opcode rep insreg, b)))) - 

( (FST(SND(decode rep(opcode rep insreg, b)))) = (F,F,T,T,T) ) ) 
/\ ( (HSF rep insreg) = (F,F) ) ) 

\/ (Seqctl mir = T,F,F) /\ ovl \/ 

\/ (DSF rep insreg = (T,T,T)))), 
ovl , 

VI new mar 7* 

((R mir \/ W mir) => (Adrs mir => address rep insreg 

| address rep (EL p_reg regs)) 

I mar), 

res , mpc , mir , urom, 

*/, new rlatch 7# 

EL (bt2 val (Rfc mir => (Mrf mir) 

I RSF rep insreg)) regs, 

% new mlatch 7. 

((Ms mir = F,F) => mreg 

| ((Ms mir = F,T) => vordn rep 1 

| pad rep (address rep 
insreg) ) ) , 

F F 

whether to go to phase three or not 
' ( (FST(decode rep(opcode rep insreg, b)) 

/\ (Dec.ctl mir)) V NX .. 

\/ (DSF rep insreg = (T,T,T)) )) 

)") ;; 


I njure 7.1-3: Description of second phase 
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let phase. three.def = new.def init ion 
( ‘phase.three.def ‘ , 

' ^ re P : r *P-ty) (regs : (*wordn)list) (mreg insreg din dout:*wordn) 

(ram: *memory) (b stop ovl:bool) (mar: ♦address) (res:*wordn) 

(mpc :bt7) (mir:ucode) (urom:num->ucode) (rlatch mlatch: *wordn) 

(phi ph2 ph3:bool) (reset :bool) . 

phase.three rep (regs, mreg, insreg, din, dout, ram, b, stop, ovl, mar, res, 

. mpc, mir, urom, rlatch, mlatch, phi, ph2, ph3) (reset) = 

((Re mir => r 

((Dfc mir /\ ( (Mdf mir = (T ,T,F)) \/ (Mdf mir = (T,T,T) ) ) ) => 
regs | 

update. reg regs 

(Dfc mir => (Mdf mir) | DSF rep insreg) b 

( ( (Aluctl mir = F, F , F,F) \/ (Aluctl mir = F,F,T,F) ) => 
mlatch I 

((Aluctl mir = F,F,F , T) => 
rlatch | 

((Aluctl mir = F,F,T,T) => 
neg rep mlatch | 

(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T)) => 

add rep (rlatch, mlatch) | 

shl rep rlatch I 

shlb rep(rlatch,b)))))))))))))) | 

regs) , 

(De mir => 

(Ds mir => mreg j din) | 

((Re mir /\ Dfc mir /\ 

( (bt3_val(Dfc mir =>(Mdf mir) I DSF rep insreg))=6)) => 

((Aluctl mir = T,T,T,F) => 

shl rep rlatch I 

shlb rep(rlatch.b))))))))))))) | 

mreg) ), 

(De mir => 

(Ds mir => din I insreg) I 
((Re mir /\ Dfc mir /\ 

((bt3_val(Dfc mir =>(Mdf mir) I DSF rep insreg))=7)) => 
join rep (opcode rep insreg, address rep 
(((Aluctl mir = F,F,F,F) \/ (Aluctl mir = F,F T F)) => 
mlatch I 

shl rep rlatch I 

shlb rep(rlatch, b) ))))))))))))) | 

insreg) ), 

dout^ => (I ° mlr => fetchl ° re P( r am.mar) I fetch rep(ram,mar) ) I din), 

(W mir=>(Io mir=>storeio rep(ram, mar .dout) Istore r ep (ram, mar , dout) ) I ram), 


Figure 1.1-1,: Third phase 
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( (Aluctl mir = F,F,T,F) => 
bcmp rep(rlatch,mlatch,b,FSF rep insreg) | 

((Aluctl mir = T.T.T.T) => bitn rep rlatch I b))))), 

» 

(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F.T.F.T)) => 
aovfl rep(rlatch , mlatch , add rep(rlatch,mlatch) ) I 
(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = F,T,T,T)) => 
sovll rep (rlatch , mlatch , sub rep(rlatch, mlatch) ) I 
((Aluctl mir = T,T,T,F) => bitn rep rlatch I F))), 

mar > 

(((Aluctl mir = F,F,F,F) \/ (Aluctl mir = F.F.T.F) ) => 
mlatch 1 

((Aluctl mir = F,F,F,T) => 

shl rep rlatch I 

shlb rep(rlatch.b))))))))))))). 

. . . ( (Seqctl mir = F,T,T) => Maddr mir I (F,F,F,F,F.F,F)))) I 
bt7_ival( (bt7_val mpc) + 1)), 
mir , urom , rlat ch , mlat ch , T , F , F ) " 


figure 7.1-5: '1 bird phase, continuation 
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let REG EN SPEC = new.def initior 
( ‘ REG_EN_SPEC ‘ , 

"t set elk ( in : t ime->*wordn) out . 


REG_EN_SPEC set elk in out = 

>t :time. out (t+1) = ((set t) /\ (elk t)) in t 

I out t“ 


Figure 7. 2-1: Register with enable input 


7.2 DESCRIPTION OF BLOCK LEVEL 

The block level is the lowest level of description in this verification, and consists of components 
such as the ALU, registers, flip-flops, etc. Proofs of each of the components are straightforward, 
although gate-level realizations can also be checked by testing. Small components, such as the 
register in Figure 7.2-1, are specified by their behavior. These are used in the structural specification 
of larger components such as the datapat h, as shown in Figure 7.2-2. The components are linked 
by existentially quantified variables, which represent the internal lines of the implementation. This 
specification formalizes the block structure depicted in Figure 3.5-1. 


7.3 PROOF OF THE BLOCK LEVEL 

This proof also involves instantiating the generic interpreter model, as in the previous two 
levels. The instantiation is illustrated in Figure 7.3-1. 

To establish the first theory obligation, we prove that Phase.l.IMPL.IMP applies to each of 
the three phases. The proof is relatively simple though it involves many rewrites and manipulation 
of long descriptions; the basic tactic used in all three proofs is shown in Figure 7.3-2 

The first obligation follows very easily from the proof of each of the lemmas. The other two 
obligations are also relatively straightforward, as we have to reason about a list of only three 
instructions. The proof is also made simpler because the iwo levels share the same clock, and they 
observe an identical state and environment. The final proof of correctness at this level is shown in 

Figure 7.3-3. 
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let DATAPATH = new.deiinition 
( * DATAPATH ‘ 

" ! (rep: ‘rep.ty) (din dout rlatch mlatch res mreg insreg:time->*wordn) 

(b ovl reqm stop rosl_stop ph2 ph3 rd wr io die din_en result_en 
addr_sel din.sel : time->bool) 

(mar:time->*address) (opc :time->bt5) (regs : time->(*wordn)list ) 

(r sel m_sel:tiroe->bt2) (rit mft:bt2) (result.sel mdf :time->bt3) 

(dit : bt3) (ram : time->*memory ) (aluctl : time->bt4) 

(dec ctl reset :time->bool) . . .. 

DATAPATH rep din dout b mar rlatch mlatch res ovl opc reqm stop msl_stop 
ph2 ph3 regs mreg insreg rft mft dlt ram rd vr io mdi die aluctl 
dec_ctl r.sel result_sel din_en result_en addr_sel din.sel 
m_sel reset = 

!t:time. 

? din_i mar_i rlatch_i mlatch.i result alu.ovl alu_b ir dec_stop. 

((rft = RSF rep (insreg t)) /\ 

(mit = MSF rep (insreg t)) /\ 

(dit = DSF rep (insreg t)) /\ 

(REGISTER.BLOCK rep result din ph3 r_sel result_sel din_en result_en 
addr_sel din_sel m_sel mar_i ir rlatch_i mlatch_i regs mreg insreg 

die mdi b) /\ .. 

(MAR_SPEC (\t. ((rd t) \/ (wr t))) ph2 mar_x mar) /\ 

(REG_EN_SPEC rd ph3 din.i din) /\ 

(REG_EH_SPEC wr ph2 rlatch.i dout) /\ 

(EXT_INTERFACE rep rd wr io ph3 mar dout din.i ram) /\ 

(REG.SPEC mlatch.i ph2 mlatch) /\ 

(REG.SPEC rlatch.i ph2 rlatch) /\ 

(ALU.SPEC rep (rlatch t) (mlatch t) (result t) (alu.ovl t) (b t) 

(alu.b t) (aluctl t) (FSF rep (insreg t))) A 
(REG.SPEC result ph3 res) /\ 

(FF.SPEC alu.ovl ph3 ovl) A 
(FF.SPEC alu.b ph3 b) /\ 

(INSDEC.SPEC rep (ir t) (b t) (dec.ctl t) (dec.stop t) (opc t) 

(reqm t) ) A 

(STOP SPEC stop dec.stop msl.stop ph2))" 

);; 


Figure 7.2-2: Data path 
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let Phase_I_def - new.def mition 
( ‘Phase.I.def * , 

(rep. rep_ty ) (s:time-> Phase_state) (e : t ime-> ~Phase_env) 

Phase.I rep s e = 

INTERP 

( [ONE , phase. one rep; 

TWO , phase. two rep; 

THREE, phase. three rep], 
triple.value, 

(GetPhaseClock: “Phase. state -> “Phase.env -> triple), 
(PhaseLevelCycles : triple->num) , 

(I : “EBM_state->“Phase_state) , 

(I : ~EBM.env->“Phase.env) , EBM rep, 

(GetEBMClock : “EBM_state->“EBM_env->bool) , 

EBM.Start, <Cx:one.F) s e" 


let Phase. I.IMPL.IMP.DEF = new.def init ion 
(‘Phase. I.IMPL.IMP.DEF' , 

" ! (rep: "rep.ty) s' e> . 

Phase.I.IMPL IMP rep s' e 1 = 

IMPL.IMP 

( [ONE , phase. one rep; 

TWO ,phase_two rep; 

THREE , phase.three rep] , 
triple. value , 

(GetPhaseClock : "Phase. state -> “Phase. env -> triple), 
(PhaseLevelCycles : tnple->nuin) , 

( I : “EBM. st at e->“ Phase. state ) , 

(I : “EBM.env->“Phase_env) , EBM rep, 

(GetEBMClock : ~EBM.state->“EBM_env->bool) , 

EBM.Start , <0x:one.F) s' e * " 


Figure 7.3-1: Instantiating generic interpreter at phase level 


let PHASE.EBM.TAC = 

PURE.ONCE.REWRITE.TAC [Phase I IMPL IMP] 

THEN REPEAT GEN.TAC “ ’ ~ 

THEN BETA.TAC 

THEN REWRITE. TAC [GetPhaseClock ; PhaseLevelCycles ; 

GetEBMClock ; EBM.Start ; phase. one. def ; 
phase. two. def ; phase. three def] 

THEN SUBST.TAC [EBM expanded] 

THEN REPEAT STRIP. TAC 

THEN POP.ASSUM.LIST (\asl. (MAP.EVERY (STRIP.ASSUME.TAC 
THEN POP.ASSUM.LIST (\asl. (MAP.EVERY (STRIP.ASSUME.TAC 


o SPEC. ALL) asl) ) 
o SPEC.ALL) asl)); ; 


Fig tin 7.3-3: 


/ ache for proving individual phases 
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let theorem^list = 

instant iate^abs tract theorems 
genii' 

[Phase_I_EVERY LEMMA; 

Phase_I_LENGTH_LEMMA ; 

^Phase_I_KEY_LEMMA] 

("rep: ~I_rep_ty", 

"( [ONE,phase_one (rep : ~rep_ty ) ; 

TWO , phase_two rep; 

THREE , phase_three rep] , 

trxple. value, (GetPhaseClock : ‘Phase_state->-Phase_env->tnple) 
PhaseLevelCycles , (I : ~EBM_state->"Phase_state) 

(I: EBM_env->~Phase_env) , 

("e^time * ^ etE ^ Clock: ~EBM_state->~EBM_env->bool) , EBM.Start)") ; 

" (\t : time . (reset t ) ) : t ime->~EBM env M )- 
("s 1 :time->*state ,,, , 

" (\t : t ime . (regs t, mreg t, insreg t, din t, dout t, ram t r 

rill X : ov } tf mar res t, mpc t, mir t, urom, 

rlatch t, mlatch t, phi t, 

-j P h 2 t, ph3 t)) :time->-EBH_state") ; 

'PHASE' ; ; 

let EBM_IMPL_PHASE_LEMMA = save thm 
( ‘ EBM_ IMPL_PHASE_LEMM A ‘ , 

( °7^S EMRITE - RULE (EXPAND LET RULE 

(ONCE_REWRITE_RULE " l ~ n ' JUC ‘ 

(BETA G RULE MCi ° Ck 1 EBM " Start : I-THM I TIME,SHIFT_DEGENERATE_LEMMA3 

(° nc E-REWRITE_RULE [SYM.RULE Phase_I_def] correct_lenuna) )) ) ) 


I'tgun: 7. I* roof oj correct! less of pliant le vel 
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8.0 MACRO LEVEL CORRESPONDENCE TO RSRE SPECIFICATION 


8.1 INTRODUCTION 

This section describes the verification of our macro level with respect to the level that defines 
the VIPER instructions. The VIPER instruction level, as specified by RSRE, is not in the format 
of our generic interpreter. Hence we are employing a style of proof here different from that used in 
the other levels. 

In general terms, the verification described in this section involves showing that each possible 
opcode in the VIPER level is realized by one of the 20 instructions at the macro level with suitable 
values for the three fields: source register select, destination register select, and memory mode 
select. The opcode is a 12-bit field, thus there are 2 12 different values possible for the opcode. An 
abstract decoder is assumed, which maps the 12 opcode bits of the VIPER level to an instruction 
and to the three selection fields at the macro level. 

The VIPER level is divided up into cases, each of which (with a few exceptions) corresponds 
to one of the 20 macroinstructions. Then it is shown that these cases cover the 2 12 possible values 
for the VIPER-level opcode fields. 


8.2 METHODOLOGY 

The NEXT function, as shown in Figure N.2- 1 . is the heart of the VIPER instruction specification. 
The NEXT definition is primarily a decoding tree, which determines the subsequent state based on 
the current values in the VIPER registers and memory. For instance, if the ’comp’ flag is set, the 
machine will execute a compare operation. If a write operation is requested, VIPER will attempt 
to execute a write operation. 

Even though there are different fields in the instruction register, namely DSF, CSF, FSF, and 
MSF, the interpretations of these registers are not independent of each other. For example, MSF 
is usually used to decide which addressing mode the processor will use to access memory, unless 
FSF is (T,T,F,F), in which case MSF will be used to decide which shift operation the machine will 
execute. This lack of orthogonality complicates the verification with respect to the NEXT function 
because the verifier must “walk through” the decoding tree for each combination of DSF, CSF, 
and MSF and determine the behavior of each instruction. This lack of orthogonality complicated 
Cohn’s proof. 
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This definition cannot serve as the top level in the interpreter hierarchy, as we have defined 
interpreters. An orthogonal instruction set has to be derived and used as the macro level — the top 
level in the abstract interpreter hierarchy. Furthermore, to prove our implementation of VIPER, 
we also have to prove that the our macro level is equivalent to the NEXT state definition as defined 
by RSRE and used by Cohn. 

The proof methodology is as follows. To define the top level in our hierarchy — the RSRE 
level — first we define an interpreter using the RSRE definition of the NEXT state function of 
Figure 8.2-1, referred to as cohn_NEXT: 


Fde/ 

(rep : ~rep_ty ) 

(s : t ime->~macro_state) ( e : tirae->~macro_env) . 

cohn Int rep 

s e = 


(! t 

s(t+l) = cohn_NEXT rep (s t)) 


Then the goal to be proved is illustrated in Figure 8.2-2. It expresses the desired property 
that for all possible states visible at t he macro and VIPER levels, characterized by combination 
of (a, x, y, p, b, stop, ram), the macro interpreter yields the same next state as the RSRE level 
characterized by the NEXT function. 

To minimize the cases we have to consider, we start with a decoder for the interpreter. The de- 
coder in the interpreter is responsible for determining from the state 7-tuple the correct instruction 
for the macro level. For each major case that the decoder generates, we define an instruction to han- 
dle that case. For instance, if the CSF bit is set., the decoder should select the CMP instruction — a 
bit compare. If the DSF field is (T,T,F) and the CSF bit is not set, the decoder should select the 
WRIT El 0 instruction. Thus the somewhat ill-structured VIPER instruction set is mapped to an 
orthogonal set. The cases for the decoder and the corresponding instructions are listed in Appendix 
J. 

8.3 DEFINING THE INSTRUCTIONS 

The macro-level instructions can be divided conveniently into five classes of instructions. The 
first class includes instructions that do not access memory. This class includes the shift instructions, 
of which there are four: SHR, S1IL, SIIRB, SHLB, for right and left shifts using or not using the b 
register. There are four cases for each shift instruction, corresponding to the four source registers 
(a, x, y, p), as specified by the DSF field. The load.r function performs this selection. 
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NEXT (ram, p, a, x, y, b, stop) = 

(stop => (ram, p, a, x, y, b, T) in 

((noinc \/ illegaladdr) \/ ((illegalcl \/ illegalsp) 

\/ (illegalonp \/ illegalwr)) => 

(ram, newp, a, x, y, b, T) I 

(comp => (ram, newp, a, x, y, COMPARE(fsf, source, 

MEMREAD(ram, msf, addr , x, y, io, F), b), F) I 
(writeop => (MEMWRITE(ram, source, msf, addr, x, y, io) , 
newp, a, x, y, b, F) I 
(skip => (ram, newp, a, x, y, b, F) I 

let m = MEMREAD(ram, msf, addr, x, y, io, NILM(dsf, csf, fsf)) in 
let aluout = ALU(fsf, msf, dsf, source, m, b) in 
((df = 0) => (ram, newp, VALUE aluout, x, y, 

BVAL aluout, SVAL aluout) I 
((df = 1) => (ram, newp, a, VALUE aluout, y, 

BVAL aluout, SVAL aluout) I 
((df = 2) => (ram, newp , a, x, VALUE aluout, y, 

BVAL aluout, SVAL aluout) I 
(call => (ram, TRIM32T020(VALUE aluout), a, x, 

INCP32 p, BVAL aluout, SVAL aluout) I 
(ram, TRIM32T020 (VALUE aluout), a, x, y, 

BVAL aluout, SVAL aluout))))))))))) 


I njun S . J- 1 : l I PL J{ s AAA 7 junction 


set_goal( [] , 

"! (rep : "rep_ty ) (a : t ime->*wordn) (x : time->*wordn) (y : t ime->*wordn) 

(p : t ime->*wordn) (b : t ime->bool ) (stop : t ime->bool) 

(ram : time->*memory ) (t:time) . 

( ! (ram 1 : *memory ) (p':*wordn) . 

((address rep (pad rep (address rep 

(fetch rep (ram > , address rep p'))))) 

= address rep, (fetch rep (ram*, address rep p 1 ))))) 

==> 

( (Macro_Int rep (\t. ((a t), (x t), (y t), (p t), (b t), (stop t), 
(fetch rep ((ram t), address rep (p t))), 

(ram t))) (\t. (reset t))) = 

(cohn_Int rep (\t. ((a t), (x t) , (y t), (p t), (b t), (stop t), 
(fetch rep ((ram t), address rep (p t))), 

(ram t))) (\t. (reset t))))");; 


i'ajurt 2-2: Goal for tin verification step 
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The second class of instructions are those that write to memory: WRITEM and WRITEIO. There 
are 16 subcases for the WRITEM instruction, corresponding to the possible selections of source and 
destination registers. The proof entails reasoning about 4 subcases for each of the 4 instructions. 

The above two classes of instructions do not require any memory read. The third set of 
instructions are those that read memory, wherein the result cannot be used to modify the p register. 
These instructions are: ADDB, SU lilt, NEC, XOR, AND, NOR, ANDMBAR, and READIO. 

There are four cases of memory load and six cases of output writes (three valid and three 
invalid) yielding a total of 24 subcases for each of these instructions. The memory reads can be 
generalized so there are only six subcases to be proved for each such instruction. 

The fourth set of instructions art* similar to the third set but they involve writing to the p 
register, in effect achieving a jump or a goto. The specific instructions are: CALL, READM, ADDS, 
and SUBO. 

The specification for CALL is basically the same as the ADDB instruction except for some 
minor difference in write_preg. Similar to the ADDB instruction, there are six subcases for each 
of these instructions. 

The last class of instruction is what we call the compare instruction. We have decided to have 
an abstract function bcmp representing all sixteen cases of compare. The bcmp function appears at 
all levels, including the block level. The memory load is generalized so there is only one case to 
prove for the compare instruction. 
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set_goal( [] , 

! ( re P ; re P-ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stop: bool) (ram : ^memory ) . 

( ( “ (CSF rep (fetch rep (ram, (address rep p)))) /\ 

( (DSF rep (fetch rep .(ram, (address rep p) ) )=(T,T,F) ) ) /\ 

( (DSF rep (fetch rep (ram, address rep p) )=(T,T,T) ) ) /\ 

(FSF rep (fetch rep (ram, address rep p)) = (T,T,F,F)) /\ 

(MSF rep (fetch rep (ram, address rep p)) = (T,T))) ==> 

(SHLB rep (a, x, y, p, b, stop, ram) = 

cohn.NEXT rep (a, x, y, p, b, stop, ram)))'*);; 


hujitre ti.li-l; Goal for proof of Sll LB 


8.4 PROOF OF SHLB 


As m the previous sections, we have chosen SHLB to illustrate the proof methodology. First 
we identify the conditions on the VIPER-ievel state under which SHLB is selected, namely: 


"CSF A 

'(DSF = (T, T, T) V DSF = (T, T, F)) A 
((DSF = (T, F, T) A 'b) V (DSF = (T, F, F) A b)) 
FSF = (F, F, F, T) A 
FSF = (T, T, F, F) A (MSF = (T, T)) 


Hence, the goal for the verification of SHLB can be written as in Figure 8.4-1. The goal states 
that if the conditions for invoking the SIILB instruction are satisfied then the effects of the SHLB 
instruction on the macro state are identical to those specified by the NEXT function. As a lemma 
we have proved that the register selected at the macro level and the VIPER level is the same: 


P ! (rep : ~rep_ty J (a:*vordn) (x:*wordn) (y:*vordn) (p:*uordn) 

(b:bool) (ram : ♦memory ) . 

(cohn_REG rep (RSF rep(fetch rep(ram, address rep p)),a,x,y, 
add rep(p,wordn rep 1))) = 

(loader rep (a, x, y, add rep (p, wordn rep 1), 
fetch rep (ram, address rep p))) 


We also have decomposed the NEXT definition into cases corresponding to each DSF value, 
as illustrated in Figure 8.4-2. Tims we can rewrite the NEXT definition much faster in our proof. 
There are six states for the DSF so six such - theorems are roc|uirod. 


We now dispose of simple cases (e.g., stop, invalid new program counter after increment) by 
using the tactic illustrated in Figure 8.4-3. 
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h 1 (rep - *rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) 

(p: *wordn) (b:bool) (stop:bool) (ram: *memory) . 

(let fsf = (FSF rep (letch rep (ram, address rep p))) in 

let dsf = (DSF rep (letch rep (ram, address rep p))) in 

let msl = (HSF rep (letch rep (ram, address rep p))) in 

let rsl = (RSF rep (letch rep (ram, address rep p))) in 

let csl = (CSF rep (letch rep (raip, address rep p))) in 

let addr = (address rep (letch rep (ram, address rep p))) in 
let newp = (add rep (p, wordn rep 1)) in 
let io = ( ( cohn_OUTPUT rep (dsf , csf)) V 

(cohn.INPUT rep (dsf, csl, fsf))) in 
let r = cohn_REG rep (rsl, a, x, y. newp) in 
let m = cohn_MEMREAD rep (ram, msl, addr, x, 

y t io , cohn_NILM rep (dsl, csl, fsf)) in 
let aluout = cohn_ALU rep (Isl, msl, dsl, r, m, b) in 
let newp = (add rep (p, wordn rep 1)) in 
(((’stop) A 
("csf) A 

(valid_address rep newp) A 
C(dsl = (T.T.T))) A 
('(dsf = (T ,T ,F) ) ) A 
(dsf = (F,F,F) ) A 

(fsf = (T.T.F.F) ) ) ==> „ , 

(cohn.NEXT rep (a, x, y, p, b, F, ram; - 

(cohn VALUE aluout, x, y, newp, 

cohn.BVAL aluout, cohn_SVAL aluout, 
ram) j ) ) 


Figure 8. J t -2: Lemmas for cases of DSP 


(REPEAT GEN.TAC 

THEN STRIP_TAC 

THEN PURE REWRITE_TAC [SHLB] 

THEN EXPAND.LET.TAC 

THEN ASM_CASES_TAC "stop:bool M 

THEN IMP_RES_TAC cohn.stop 

THEN ASM_REWRITE_TAC [] . . „ , 

THEN ASM_CASES_TAC (valid.address (rep^ rep_ty; 
(add rep (p, wordn rep 1 ) ) ) : bool*’ ) ; ; 


e (IMP RES TAC (EXPAND.LET.RULE cohn.noinc) 
" THEN ASM_REWRITE_TAC [] 

THEN ASM.REWRITE.TACD); ; 


e (ASSUM LIST (\asl. ASSUME.TAC (REWRITE RULE 

[el 19 asl] (el 1 asl))) 
THEN ASM.REWRITE.TAC [] ) ; ; 


Figure 8.4-2: Tactics in proof of S II LB 
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I- ! (rep: ~rep_ty) (fsf:bt4) (msf:bt2) 

(dsf:bt3) (r:*wordn) (m:*wordn) (b:bool) . 

(((fsf = (T,T,F,F) ) A (msf = (T,T) ) ) ==> 

(let pwrite = ((ds f = (F,T,T)) V ((dsf = (T,F,F) ) V 
(dsf = (T,F,T) ) ) ) in 
(cohn_ALU rep (fsf, msf, dsf, r, m, b) 

= (shlb rep (r, b), (bitn rep r), pwrite)))) 


! (rep: ~rep_ty ) (fsf:bt4) (msf:bt2) 

(dsf:bt3) (r:*wordn) (m:*wordn) (b:bool) . 

(((fsf = (T, T,F,F) ) A (msf = (T,T) ) ) ==> 

(let pwrite = ((dsf = (F,T,T) ) V ((dsf = (T, F, F) ) V 
(dsf = (T ,F,T)).) ) in 

let aluout = cohn_ALU rep (fsf, msf, dsf, r, m, b) in 
(cohn.VALUE aluout = (shlb rep (r,b))))) 

! (rep: ~rep_ty ) (fsf:bt4) (msf:bt2) 

(dsf:bt3) (r:*wordn) (m:*wordn) (b:bool) . 

(((fsf = (T,T,F,F) ) A (msf = (T,T) ) ) ==> 

(let pwrite = ((dsf = (F ,T,T) ) V ((dsf = (T, F ,F) ) V 
(dsf = (T,F,T) ) ) ) in 

let aluout = cohn.ALU rep (fsf, msf, dsf, r, m, b) in 
(cohn.BVAL aluout = (bitn rep r)))) 


Figure Lemmas with properties of VIPER level 


Next we step through the DSF cases by first considering DSF = (F, F, F). We must iden- 
tify the values for (cohn.VALUE aluout), (cohn_BVAL aluout), and (cohn_SVAL aluout). The 
theorems displayed in Figure X.4-1 characterize the values re<iuired in the proof. 

By specializing the above theorems, and under the condition that the goal preconditions hold 
and DSF = (F, F, F), we can now prove that the macro and VIPER levels are identical, for this 
value of DSF. 

The cases lor DSF = (F, F, T) and (F, T, F) can be proven using the same tactic. For 
DSF s (F, T, T) , (T, F, F), or (T, F, T), the proofs are simpler since for each case an error 
condition is generated, which causes execution to stop. 

These error conditions are expressed with respect to tiie macro level by the following theorem: 
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writ e_reg_illegalpdest_aux - , 

(rep : ~rep_ty ) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 

(stop : bool) ( ir : *wordn) (ram : *memory ) (value : *wordn) (newb:bool). 

CCCDSF rep ir) = (F,T f T) ) V 
( (DSF rep ir) = (T , F , F) ) V 
( (DSF rep ir) = (T,F,T))) 

==> 

(write_reg rep (a, x, y. p, b, stop, ir, ram, value, newb) 
= (a, x, y, p, b, T, ram)) 


and specializing it for SHLti: 


h illegal_shlb = (SPECL ["rep : ‘rep.ty" ; 

"a:*wordn"; 

"x : *wordn M ; H y : *wordn“ ; 

"add (rep : ~rep_ty ) (p, wordn rep D"; 
M b:bool H ; "F"; 

"letch (rep: "rep.ty), (ram, address rep p) M ; 
"ram : *memory " ; 

"shlb (rep: *rep_ty) 

((loader rep 

(a , x , y , add rep(p,wordn rep l)> 
fetch repCram, address rep p))), b)"; 
"b:bool"] 

wnte_reg_illegalpdest_aux) ; ; 


In the VIPER level the error conditions corresponding to DSF = (F, T, T) , (T, F, F) , and 

(T, F, T) are expressed by the theorem in Figure 8.4-5. Hence the proofs of equivalence for the 
cases resulting in errors consist of rewriting the goals using the tactic shown in Figure 8.4-6. 

We now have proven the goal that the macro level correctly implements the shift-left behavior 
at the VIPER instruction level: 


h ! (rep: *rep_ty) (a:*uordn) (x:*wordn) (y:*wordn) 

(p: *wordn) (b:bool) (stop:bool) (ram: *memory) . 

(('(CSF rep (fetch rep (ram, (address rep p)))) A 
(‘(DSF rep (fetch rep (ram, (address rep p) ) )=(T ,T,F) ) ) A 
('(DSF rep (fetch rep (ram, address rep p) )=(T ,T ,T) ) ) A 
(FSF rep (fetch rep (ram, address rep p)) = (T,T,F,F)) A 
(MSF rep (fetch rep (ram, address rep p)) = (T,T))) ==> 
(SHLB rep (a, x, y, p, b, stop, ram) = 

cohn.NEXT rep (a, x, y, p, b, stop, ram))) 
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b ! (rep : 'rep.ty ) (a:*wordn) (x:*wordn) (y:*vordn) 

(p:*wordn) (b:bool) (stop:bool) (ram : ^memory ) . 

(let fsf = (FSF rep (letch rep (ram, address rep p))) in 

let dsf = (DSF rep (fetch rep (ram, address rep p))) in 

let rasf = (MSF rep (fetch rep (ram, address rep p))) in 

let rsf = (RSF rep (fetch rep (ram, address rep p))) in 

let csf = (CSF rep (fetch rep (ram, address rep p))) in 

let addr = (address rep (fetch rep (ram, address rep p))) in 
let newp = (add rep (p, wordn rep 1)) in 
let io = ( (cohn.OUTPUT rep (dsf , csf)) V 

(cohn.INPUT rep (dsf, csf, fsf))) in 
let r = cohn_REG rep (rsf, a, x, y, newp) in 
let m = cohn.MEMREAD rep (ram, msf , addr, x, 

y, io, cohn.NILM rep (dsf, csf, fsf)) in 
let alnout = cohn_ALU rep (fsf, rasf, dsf, r, m, b) in 
let newp = (add rep (p, wordn rep 1)) in 
((('stop) A 
('csf) A 

( valid.address rep newp) A 
('(dsf = (T,T,T) ) ) A 
('(dsf = (T ,T, F) ) ) A 
(dsf = (F , T , T) ) A 
(fsf = (T , T , F , F) ) ) ==> 

(cohn.NEXT rep (a, x, y, p, b, F, ram) = 

(a, x, y, newp, b, T, ram)))) 


I'tguit J-5; Error casts in VIPER specification 


e (ASM.CASES.TAC "((DSF (rep : 'rep.ty ) (fetch rep (ram, address rep p))) 

= (F , T , T) ) : bool " ) ; ; 


e (IMP.RES.TAC cohn.TTFF.FTT.aux.expanded 
THEN IMP.RES.TAC illegal.shlb 

THEN ASM.REWRITE.TAC [reg.eqv; write.reg; PAIR.EQ]);; 

e (ASM.CASES.TAC "((DSF (rep : 'rep.ty ) (fetch rep (ram, address rep p))) 

= (T,F,F)):bool"); ; 


e (IMP.RES.TAC cohn.TTFF.TFF.aux.expanded 
THEN IMP.RES.TAC illegal.shlb 

THEN ASM.REWRITE.TAC [reg.eqv; write. reg; PAIR.EQ] ) 


e (IMP.RES.TAC dsf. remain) 


e (IMP RES.TAC cohn TTFF.TFT.aux.expanded 
THEN IMP.RES.TAC illegal.shlb 

THEN ASM.REWRITE.TAC [reg.eqv; write.reg; PAIR.EQ]); 


Figure S./ r 0: Tadic used in proof of SIILB 
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8.5 DEFINITION OF THE DECODER 


It was mentioned above that the mapping from the 12-bit opcode field of the VIPER level to 
the 20 orthogonal instructions of the macro level is effected by a decoder. We have specified the 
decoder in terms of 24 cases, corresponding to the 20 instructions in the macro level, 3 error cases, 
and an extra case for the NOOP instruction. To complete the verification of the macro level it 
is shown that the cases associated with the macro-level instructions are exactly the preconditions 
for these instructions. Also, it is shown that the cases cover all the possible values for the VIPER 
opcode field. The cases for the decoder are given in Appendix J. 
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9.0 CONCLUSIONS 


This task was initiated because previous attempts to verify the design of the VIPER micropro- 
cessor using mechanical theorem provers were not completed. Since Cohn s incomplete verification 
effort was published in its entirely, we had the opportunity to attempt to determine why it was so 
difficult to complete. One reason is the large jump in abstraction between the instruction specifica- 
tion and the implementation. The second reason is the complexity ol the specification itself. Many 
machines have clearly identified instructions with orthogonal fields to define addressing modes, 
register selection, etc. Tins is not the case for the VIPER architecture. Thus, although the in- 
struction architecture is not complex, 122 unique cases must be separately considered in verifying 
the implementation. Each ol the cases considered in Colin s VIPER verification effort required 
approximately one person- week to complete. 

Based on the success Windley achieved using a hierarchical methodology to verify a simpler 
microprocessor ( AVM-1 ), we decided to apply the methodology to the VIPER processor. Windley’s 
methodology depends on viewing the design of a microprocessor as a hierarchy of interpreters, the 
topmost providing the abstraction of the instructions accessible to the assembly language program- 
mer and the lowest the implementation that is to be verified. A reasonable choice for the lowest 
level is an abstraction ol the microprocessor that consists of its blocks such as the ALU, registers 
and latches; the original proof effort for the VIPER processor used this as the level to be verified 
and referred to it as the electronic block model. Among the choices for intei mediate levels using 
the Windley methodology is an interpreter of microinstructions, which captures the decision that 
the microprocessor is microcodcd. 

The VIPER design is not microcoded, because the designers concluded that a hardwired design 
is faster than one whore tin' control is achieved through microprograms. Moreover, the VIPER 
design does not suggest any convenient levels other than the instruction level and the electronic 
block model. Consequently, the Windley methodology could not be applied to the VIPER design. 
What our verification effort, is concerned with is a microcoded design that we developed to realize 
the VIPER instruction set; the electronic block model of our design is approximately equivalent in 
complexity to that of RSRE’s design. 

To address the issue of the complexity of the specification, we introduced a level below the 
VIPER instruction level, which provides the same functionality but in terms of 20 orthogonal 
instructions. Ol course VIPER programs will not run on this 20-inslruction level, so it remained to 
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show the equivalence of this new level with the VIPER instruction-set level. Our design consisted 
of 5 levels and entailed the verification of the four lowest of these. 

Our verification demonstrates the following: Corresponding to a VIPER object program in- 
struction occupying the 12-bit opcode field, the logic of the electronic-block model is such that the 
correct ALU function will be invoked, the arguments (if any) will be drawn from the correct register 
and main memory locations, the results (il any) will be stored in the correct register (and flag bit) 
or main memory location, and the program counter will be correctly updated (incremented by one 
or set to the correct jump address). Since our design is microcodcd, the proof entails (among many 
other things) showing that the microprogram corresponding to each instruction is correct. 

What the verification does not guarantee is important to disclose: 

• Our specification of the electronic block-model does not capture the semantics of the low- 
level functions, such as add, shift-left, xor, etc. These functions are not defined. Hence, it is 
not possible to use our specifications to reason about the computations of assembly language 
programs. We could have easily provided a semantics lor these functions as a specification to 
be verified of an implementation more concrete than the elec tronic- block model. We decided 
not to provide such a specification, as our main goal was to verify the control logic of the 
microprocessor. This was also a criticism of Cohn’s specification, but Cohn’s come closer 
than ours in capturing the semantics of the operations. 

• Emphasizing what was indicated above, we have not verified an implementation more concrete 
than the electronic-block model, such as a gate-level implementation. It is not clear that 
verification is the most cost-ellective approach to checking gate-level descriptions. 

• For simplicity we have assumed a single compare function. The VIPER processor has 16 
compare instructions, but the logic to realize these differ in only trivial ways. 

• The VIPER processor has external control lines, such as a reset button. The RSRE specifi- 
cation does not consider these lines, nor do we. 

• Our specification (similar to RSRE’s) does not deal with how long an instruction takes to 
execute. Handling timing specifications is feasible, but would severely complicate the verifi- 
cation. Again, other techniques are bettor suited to reasoning about timing for the relatively 
simple control logic that the VIPER processor employs. 

• We have assumed that the main memory responds essentially instantaneously to read or write 
requests. VIPER can support an asynchronous interaction between the processing unit and 
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main memory. Techniques arc known for modeling such an interaction, but we did not use 
them here. 

• Main memory is assumed to be a black box. It is certainly feasible to consider a less abstract 
model of memory, such as one that models the decoder, sense lines, etc. Again, verification 
is not t lie best approach to reason about the details of a memory system. 

Our major goal was to del ermine if the verification ol such a hierarchical design is simpler 
than the verification of a flat design, such as VIPER. Furthermore, we wanted to determine if any 
gain is achieved through introduction ol an orthogonal instruction set. The most difficult aspect 
of the Cohn verification effort was the consideration of the 122 cases that are part of the RSRE 
specification. Of course, our verification had to face these same 122 cases, but the objects being 
verified with respect to these cases is much “closer” to the specification than was the case for 
Cohn s proof. Having completed the verification we conclude that the methodology can simplify 
microprocessor verification efforts. 

A second goal was to determine if, through the use of the hierarchical methodology and a 
previous successful verification effort of a simpler microprocessor, the verification of a larger micro- 
processor would be less ol a tour de lorce than has been the experience with previous verification 
efforts. Towards this goal, the main contributors of the project team were two Master-level stu- 
dents, with skills in logic but no previous experience with formal methods or mechanical theorem 
provers. Moreover, the proof effort was divided up - each student assuming responsibility for two 
levels. Although each of the students completed his task, their work did not compose. Each student 
made assumptions about the the micro level, but in a few instances without communicating them 
to the other. In the end, these changes required most of the proof to be redone - and in the absence 
of those who carried out the initial proof II the communication between the human provers had 
been better, much grief would have been avoided. 

A third goal was to determine if, through the use of special-purpose HOL tactics, the proof 
could have been accomplished with less human intervention. (HOL is mostly a proof checker, 
as compared with the Boyer Moore theorem prover. Excessive human intervention is avoided 
through the employment of tactics that match the expressions being reasoned about.) Towards 
this goal, we developed a few symbolic execution tactics intended to cover the actions associated 
with the implementation of an instruction, e.g., a microinstruction, phase instruction, or macro level 
instruction. At the lowest levels, special-purpose symbolic execution tactics worked perfectly, in 
effect handling all cases. At the upper levels we were less successful, requiring hand-crafted tactics 
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corresponding to each instruction class (shift, write memory, arithmetic, etc). At the highest level 
(proof of macro to RSRE specification), we were able to reuse very few tactics, a statement about 
the irregularity of the VIPER instruction set. 

A final goal was to determine the effectiveness of HOL for a large proof effort. The proof 
was completed, but it was painful. The experience of HOL users has been that human proof time 
vastly exceeds HOL’s processing time. This was not our experience with this proof. We generated 
expressions that sometimes consumed hours of processing time to reason about. 

Additional issues to be studied include: 

• Xhe scalability ol the proof effort. Our team would not have been willing to tackle a micro- 
processor an order of magnitude more complex than the VIPER architecture. The discovery 
of tactics that handle most cases would, of course, simplify the human effort. 

• Reasoning about changes. Most of the II OL processing time and a large fraction of the human 
time was devoted to re-doing proofs subsequent to design changes. Identifying those parts of 
a proof that need not be redone* would have saved vast effort. 

• The role of a simulator to discover "obvious” errors. Wo designed the microprocessor, but 
never tested it. Hence, the verification effort detected errors that would have been discovered 
with the must rudimentary of tests. Not having access to a CAD system with a design 
simulator for HOL specifications, we should have written a simulator in ML. 

• 'Pbe role of correctness-preserving transformations to transform a verified micio-coded design 
into a more efficient hardwired design. 

Further work is needed before it can lie concluded that larger miciopiocessois can be verified 
and that the hierarchical interpreter theory offers benefits in such efforts. Work underway at Boeing 
on the verification of a fault-tolerant processor gives promise of another data point. Clearly, the 
interpreter theory organizes the proof, but still the number of cases that the veiifier must consider 
is staggering. There are too many cases to be handled individually, lland-crafted tactics can be 
constructed to allow the HOL system to process many case's in one shot, but we discovered that 
the performance of the theorem prover was dismal. 1 he use of special Boolean decision packages 
should be of considerable help. 
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Appendix A: DESCRIPTION OF HOL 


HOL is a general theorem-proving system developed at the University of Cambridge (ref. 19, 20) that 
is based on Church’s theory of simple types, or higher-order logic (ref. 21). Church developed higher- 
order logic as a foundation for mathematics, but it can be used for describing and reasoning about 
computational systems of all kinds. Higher-order logic is similar to the more familiar predicate 
logic, but allows quantification over predicates and functions, not just variables, allowing more 
general systems to be described. 

1IOL grew out o( Robin Milner s LCI* theorem prover (ref. 22) and is similar to other LCF 
progeny such as NUPRL (ref. 23). Because HOL is the theorem-proving environment used in the 
body of this work, we will describe it in more detail. 

HOL s pioof style can be tailored to the individual user, but most users find it convenient to 
work in a goal-diiected fashion. HOL is a tactic-based theorem prover. A tactic breaks a goal into 
one or more subgoals and provides a justification for the goal reduction in the form of an inference 
rule. Tactics peifoim tasks such as induction, rewriting, and case analysis. At the same time, 
HOL allows foiwaid inference and many proofs are a combination of both forward and backward 
proof styles. Any theorem-proving strategy a user employs in connection with HOL is checked for 
soundness, eliminating the possibility of incorrect proofs. 

HOL provides the user with a metalanguage, ML, for programming and extending the theorem 
prover. Using ML, tactics can be put together to form more powerful tactics, new tactics can be 
written, and theoiems can be combined into new theories for later use. The metalanguage makes 
the HOL verification system extremely flexible. 

In HOL, all proofs, even tactic-based proofs, are eventually reduced to the application of 
inference rules. Most nontrivial proofs require large numbers of inferences. Proofs of large devices 
such as microprocessors can take many millions of inference steps. In a proof containing millions 
of steps, what kind of confidence do we have that the proof is correct? One of the most important 
features of HOL is that it is secure, meaning that new theorems can only be created in a controlled 
manner. HOL is based on five primitive axioms and eight primitive inference rules. All high-level 
inference rules and tactics do their work through some combination of the primitive inference rules. 
Because the entile pioof can be reduced to one using only eight primitive inference rules and five 
primitive axioms, an independent proof-checking program could check the proof syntactically. 
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Tabic A-l: HOL i 

u fir Operators 

Operator 

A pplica.lioii 

Meaning 

= 

tl = t2 

tl equals t2 

> 

tl ,t2 

the pair tl and t2 

A 

tl A t2 

tl and t2 

V 

tl V t2 

tl or t2 

==> 

tl => t2 

tl implies t2 


The Language. 

The object language of 1101, is described in this section. Wo will discuss HOL’s terms and 
types. 

Terms. All HOI, expressions arc made up of terms. There are four kinds of terms in HOL. 
variables, constants, function applications, and abstractions (lambda expressions). Variables and 
constants are denoted by any sequence of letters, digits, underlines, and primes starting with a 
letter. Constants are distinguished in the logic; any identifier that is not a distinguished constant 
is taken to be a variable. Constants and variables can have any finite arity, not just 0, and, thus, 
can represent functions as well. 

Function application is denoted by juxtaposition, resulting in a prefix syntax. Thus, a term of 
the form "tl t2" is an application of the operator tl to the operand t2. The term’s value is the 

result of applying tl to t2. 

An abstraction denotes a function and lias the form "Ax. t . An abstraction A x. t has 
two parts: the bound variable x and the body of the abstraction t. It represents a function, f, 
such that "f(x) = t". For example. "A y. 2*y" denotes a function on numbers which doubles its 

argument. 

Constants can belong to two special syntactic classes. Constants of arity 2 can be declared 
to be infix. Infix operators are written "randl op rand2" instead of in the usual prefix form: 
"op randl rand2". Table A-l shows several of IIOL’s built-in infix operators. 

Constants can also belong to another special class called binders. A familiar example of a 
binder is V. If c is a binder, then the lerm "c x.t" (where x is a variable) is written as shorthand 
for the term "c(A x. t)". Table A-2 show* several of 1101. 's built-in binders. 
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Table AS: HOL Binders 


Binder 

Application 

Meaning 

V 

V x . t 

for all x, t 

3 

3 x . t 

there exists an x sucli that t 

c 

5 x. t 

choose an x such that t is true 


In addition to the infix constants and binders, HOL has a conditional statement that is written 
a -+ b | c, meaning ‘‘if a, then b, else c.” 

Types. HOL is strongly typed to avoid Russell's paradox and others like it. Russell’s paradox 
occurs in a high order logic when one can define a predicate that leads to a contradiction. Specif- 
ically, suppose that we define P as P(x) = ->x(x) where -» denotes negation. P is true when its 
argument applied to itself is false. Applying P to itself leads to a contradiction since P(P) * ~iP(P) 
(i.e. , true = false). This kind of paradox-can be prevented by typing since, in a typed system, 
the type of P would never allow if to be applied to itself. 

Every term in II OL is typed according to the following recursive rules: 

a. Each constant, or variable has a fixed type. 

b. If x has type o and t has type /3, the abstraction A x. t lias the type (a f3). 

c. If t has the type (a — > jd) and u has the type a, the application t u has the type /?. 

Types in II OL aie built from type variables and type operators. Type variables are denoted by 
a sequence of asterisks (*) followed by a (possibly empty) sequence of letters and digits. Thus, *, 
***, and *ab2 are all valid type variables. All type variables are universally quantified implicitly, 
yielding type polymorphic expressions. 

Type operators construct new types from existing types. Each type operator has a name 
(denoted by a sequence of letters and digits beginning with a letter) and an arity. lio u ...,o n are 
types and op is a type operator of arity n , the . . ,a n )op is a type. Note that type operators 
are postfix while normal function application is prefix or infix. A type operator of arity 0 is a type 
constant. 

HOL has several buill-in types which are listed in table A-3. The type operators bool, 

ind, and fun aie primitive. HOL has a special syntax that allows (*,**)prod to be written 

as (* # **), (* ,**)sum to be written as (* + **), and (*,**)fun to be written as ( * -> **). 
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r [jible A-S: HOL Type Operators 


Operator 

A ritv 

Meaning 

bool 

0 

booleans 

ind 

0 

individuals 

num 

0 

natural numbers 

(*)list 

1 

lists of type * 

(* , **)prod 

2 

products of * and ** 

(* t **) sum 

2 

coproducts of * and ** 

(*,**)fun 

2 

functions from * to ** 


The Proof System. 

HOL is not an automated theorem prover but is more than simply a proof checker, falling 
somewhere between these two extremes. HOL has several features that contribute to its use as a 
verification environment: 

a. Several built-in theories, including booleans, individuals, numbers, products, sums, lists, and 
trees. These theories contain l he five axioms that form the basis of higher order logic as well 
as a large number of theorems that follow from them. 

b. Rules of inference for higher order logic. These rules contain not only the eight basic rules 
of inference from higher order logic, but also a large body of derived inference rules that 
allow proofs to proceed using larger steps. The HOL system has rules that implement the 
standard introduction and elimination rules for Predicate Calculus as well as specialized rules 
for rewriting terms. 

c. A collection of tactics. Examples of tactics include: REWRITE.TAC which rewrites a goal ac- 

cording to some previously proven theorem or definition; GENJTAC which removes unnecessary 
universally quantified variables from the front of terms; and EQ-TAC which says that to show 
two things are equivalent, we should show that they imply eacli other. 

d. A proof management system that keeps track of the stale of an interactive proof session. 

e. A metalanguage, ML, for programming and extending the theorem prover. Using the metalan- 
guage, tactics can be put together to form more powerful tactics, tiew tactics can be written, 
and theorems can be aggregated to form new theories for later use. The metalanguage makes 
the verification system extremely flexible. 
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Appendix B: INTERPRETER THEORY AND ABSTRACT FUNCTIONS 


7 . 


File: def_aux.ml 

Description: Defines generic functions used in subsequent Viper 

specif icat ions . 


7 . 


set_search_path (search.pathO • 1 ib_dir_l ist ) ; ; 

loadf ‘abstract 4 ;; new_theory ‘aux_def 1 ;; 

new.parent ‘tuple';; 

new_type_abbrev( ‘time 1 , " :num" J ; ; 

let abs.rep = new_abstract_representat ion [ 

% ALU functions % 

% negation */, 

(‘neg‘ t M :(*wordn -> *wordn) ") 

% addition without carry */* 

(‘add 1 , ":(*wordn ft *wordn -> *wordn) ") 

*/, predicate carry for addc */. 

(‘addp‘, ":Owordn ft *wordn # *wordn) -> bool ") 

l 

% overflow predicate for add */♦ 

(‘aovfl 1 , ":(*wordn ft *wordn # *wordn) -> bool ") 

*/, subtract '/, 

(‘sub‘, M :(*wordn # *wordn) -> *wordn ") 

*/, carry predicate for sub */. 

(‘subp‘, ":(*wordn ft *wordn ft *wordn) -> bool ") 

% overflow predicate for sub % 

(‘sovfl*, M :(*wordn ft *wordn ft *wordn) -> bool ") 

% bitwise xor */, 

(‘bxor‘, ":(*vordn ft *wordn -> *wordn) M ) 

*/, bitwise and */. 

(‘band*, M :(*wordn ft ♦wordn -> *wordn) ") 
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*/* bitwise nor 7, 

( 4 bnor 1 , " : (♦wordn # *wordn -> ♦wordn) 5 

*/* bitwise not 7, 

(‘bnot 4 , ":(*wordn -> *wordn) ^ 

% bitwise or 7, 

(‘bor* , " : (bool # bool -> bool) 

I 

•/. SHIFTER functions 7. 

y, shift right , copy sign bit 7. 

(‘shr*, " : (♦wordn -> ♦wordn) ^ 

> 

*/* shift left y* 

( 4 shl 4 , " : (♦wordn -> ♦wordn) 

•/, shift right thru b 7. 

( 4 shrb ‘ , " : (♦wordn # bool -> ♦wordn) M ) 

*/, shift left thru b % 

( ‘ shlb 1 , " : ( ♦wordn # bool -> ♦wordn) ) 

*1, Coercion functions 7, 

*/, numeric vaule of n-bit word '/. 

( ‘ val 4 , " : ( ♦wordn -> num) * 

V, wordn representation of number 7, 

( ‘ wordn ‘ , ":(num -> ♦wordn) ^ 

*/, address part of a word % 

( * address ‘ , M : (♦wordn ♦address) ^ 

f 

% address converting to a word 7, 

(‘pad 4 , M : (♦address -> ♦wordn) ) 

t 

l combine msb opcode bits and lsb address bits to aordn 7. 
(‘join', " : ( (*opcode # *address) -> *wordn ) "> 

% Test functions 7, 

% see if address is valid '/, 

( * val id_ address 1 , n : (♦wordn -> bool) 

7, decoder 7. 

(‘decode 4 , M : ((♦opcode # bool) -> (bool # bt5 # bool)) ) 
7, Compare function 7. 
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*L cop two words depending on code 7. 

( 4 bcmp‘, ":(*vordn # *wordn # bool # bt4 -> bool) 


'i Subranging functions 7* 

7, opcode portion of word 7, 

(‘opcode 4 , M ;(*vordn -> ♦opcode) M ) 

7* retrieve bitO of a ♦vordn 7» 

(‘bitO 4 , M :(*wordn -> bool) M ) 

7. retrieve bitn of a ♦wordn % 

( ‘bitn ‘ , " : (♦vordn -> bool) ") 

7. retrieve rsf of a ♦vordn 7, 

( 4 RSF‘, (♦vordn -> bt2) ") 

7. retrieve msf of a ♦wordn 7. 

(‘MSF 4 , (♦wordn -> bt2) ") 

7* retrieve dsf of a ♦vordn 7. 

(‘DSF‘, ":(*vordn -> bt3) M ) 

7. retrieve csf of a ♦wordn 7. 

(‘CSF‘ t “:(*wordn -> bool) ") 

> 

7. retrieve fsf of a ♦wordn 7* 

(‘FSF 4 , ":(*wordn -> bt4) M ) 

7* Memory functions 7. 

7. fetch a word from memory 7. 

(‘fetch 4 , ((♦memory # ♦address) -> ♦wordn) ") 

% store a word in memory 7. 

('store 4 , ((♦memory # ♦address If ♦vordn) -> ♦memory) ") 

7, fetch a word from io 7. 7. memory mapped io *( 

(‘fetchio 4 , ((♦memory ft ♦address) -> ♦wordn) 

7* store a word in memory 7. 7, memory mapped io 7. 

(‘storeio 4 , M : ((♦memory # ♦address # *wordn) ~> ♦memory) 




close.theory () ; ; 


File: 
Author : 
Date : 
Modified : 


mk_I . ml 


(c) P. J. Windley 1990 
09 JAN 90 
14 FEB 90 


Description: 

Defines a generic interpreter used in subsequent specifications. 
The interpreter is proven to be correct under certain obligations. 
The interpreter in this file is synchronous. 

y. 


set_.search_path (search_path( ) ® 1 ib_dir_l ist ) ; ; 

system Vbin/rm gen_I.th‘;; 

new._theory 4 gen_I 4 ;; 

map load f [‘abstract 1 ];; 

new„type_abbrev ( ‘ t ime 1 , " :num" ) ; ; 

nes_type_abbrev ( ‘ t ime y 4 , “ : num M ) ; ; 



Generic specification 

y. 


let cpu.abs = new_abstract ..representation 

[ 

( 1 inst_list 4 , " : (*key#(*state->*env->*state) )list M ) 

(‘key* , " : *key->num" ) 

1 

( 4 select 4 :*state->*env->*key") 

( 4 cycles 1 , 11 : *key->num" ) 

l 

( 4 substate 4 , M : *state ’ ->*state M ) 

(‘subenv 4 ,":*env , ->*env") 

i 

( 4 Impl 4 : (time * ->*state * )->(time * ->*env » )->bool M ) 
> 

( ‘count ‘ : *state ’ ->*env ’ ->*key ’") 
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( ‘ start ' , " : *key ’ ") 


];; 

make.inst.thms cpu.abs;; 

let I_rep_ty = abstract .type 'gen_I‘ ‘ key ' ; ; 

let INTERP.def = nev.def inition 
( ‘ INTERP ‘ , 

"• (rep: "I.rep.ty) (s : time->*state) (e : t ime->*env) . 
INTERP rep s e = 

! t : t ime . 

let n = (key rep (select rep (s t) (e t))) in ( 
s(t+l) = (SND (EL n (inst.list rep))) (s t) (e t))” 

);; 

let I NTERP.DEF. EXPANDED = EXPAND.LET.RULE INTERP.def ; ; 

7 .< 

let FIND = new.recursive.def init ion 
false 

list. Axiom 
* FIND’ 

’’(FIND x [] = 0) /\ 

(FIND x (CONS h t) = 

(x = h) => 0 | 1 + (FIND x t ) ) " ; ; 

letrec pos x 1 = 
null 1 => 0 | 

(x s (hd 1)) => 1 | (1 + (pos x (tl 1)));; 

>'/. 

let impl.imp.def = new.def inition 
( ‘ IMPL.IMP 4 , 

” ! inst : (*key# (*state->*env->*state) ) 

(s ’ : time ’ ->*state y ) 

(e ’ : t ime ’ ->*env ’ ) . 

IMPL.IMP rep s’ e’ inst « 

(Impl (rep : “ I.rep. ty ) s’ e’) ==> 

( ! t : time * . 

let s = (\t. (substate rep (s’ t))) in 

let e « (\t . (subenv rep (e’ t)>) m 
let c = (cycles rep (select rep (s t) (e t))) in ( 
(select rep (s t) (e t) = (FST inst)) A 
(count rep (s’ t) (e > t) « (start rep)) =*> 

((SND inst) (s t) (e t) = (s (t + c))) A 

(count rep (s’ (t + c)) (e’ (t + c)) - (start rep))))" 


);; 

let IMPL.IMP.EXPANDED *= EXPAND. LET.RULE impl.imp.def ; ; 

nee.theory.obl igat ions 

[ 

"EVERY (IMPL.IMP (rep : * I.rep.ty ) (s 1 : t ime ’->»state ’ ) (e ’ : time ’->*env ’ ) ) 
(inst.list rep)" 

" !k : »key . (key (rep :* I.rep.ty) k) < (LENGTH (inst.list rep))" 

" ! k : *key . k = (FST (EL (key (rep: * I.rep.ty ) k) unst.list rep)))" 

];; 

let IMPL.NEXTSTATE. LEMMA = TAC.PROOF 

(([]. 

"let s = (\t:time .(substate rep (s’ t))) and 
e = (\t:time . (subenv rep (e’ t))) in (■ 

(Impl (rep : 'I.rep.ty) ) s’ e’ ==> 

( ! t : time * . 

(count rep (s’ t) (e’ t) = (start rep)) -=> 

((substate rep (s’ (t+(cycles rep (select rep (s t) (e t)))))) - 
(SND (EL (key rep (select rep (s t) (e t))) 

(inst.list rep))) (s t) (e t)))) M ), 

EXPAND. LET.TAC 
THEN REPEAT STRIP.TAC 
THEN PQP.ASSUM.LIST (\asl . 
let asl * = 

map (PURE.REWRITE.RULE [EVERY. EL; IMPL.IMP.EXPANDED] ) asl in 
MAP.EVERY ASSUME. TAC 
(map 
(\thm . 

(SPEC "(key (rep : ~ I.rep.ty) 

(select rep 
(substate rep(s’ t)) 

(subenv rep (e * t)))) 1 ’ thm) ? 

(SPEC "(select (rep: ‘ I.rep.ty) 

(substate rep(s’ t)) 

(subenv rep (e 1 t)))" thm) ? 
thra) asl’)) 

THEN RES.TAC 

THEN POP.ASSUM (\thm. ASSUME.TAC (REWRITE.RULE [] (SPEC "t:time>" this))) 
THEN RES.TAC 

THEN FIRST. ASSUM (ACCEPT.TAC o SYM.RULE) 
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) ; ; 

let IMP L.NEXTSTATE. LEMMA .EXPANDED = EXPAND.LET.RULE IMPL.NEXTSTATE.LEMMA ; ; 

let time.shift * nev.pr im.rec.def init ion 
( * time. shift ‘ , 

"(time.shift f (s : t ime->*state) (e : t ime->*env ) 0 * 0) A 
(time.shift f s e (SUC n) * ( 

let t = (time.shift f s e n) in 
t + (f (s t) (e t)))) M 

) ; ; 

let I.CLOCK. LEMMA = TAC.PROOF 

((□, 

"let s = (\t:time .(substate rep (s’ t))) and 
e = (\t:time. (subenv rep (e* t))) in ( 

(Impl rep) s’ e ’ A 

((count rep) (s’ 0) (e* 0) = (start rep)) ==> 

It. let t.impl = 

(time. shift (\st env. (cycles rep (select rep st env))) set) in 
(count (rep: ‘I.rep.ty) ) (s’ t.impl) (e ’ t.impl) = (start rep)) M ), 

EXPAND. LET.TAC 
THEN REPEAT GEN.TAC 
THEN STRIP.TAC 
THEN INDUCT. TAC 

THEN REWRITE.TAC [time. shift; o.DEF ; LET.DEF] 

THEN (FIRST.ASSUM ACCEPT.TAC ORELSE ALL.TAC) 

THEN POP.ASSUM (\thm. ASSUME.TAC 

(CONV.RULE (TOP. DEPTH. CO NV BETA.CONV) 

(ONCE.REWRITE.RULE [o.DEF] thm))) 

THEN BETA. TAC 

THEN POP.ASSUM.LIST (\asl . 
let asl ’ = 

map (PURE .REWRITE. RULE [EVERY. EL ; IMPL.IMP. EXPANDED] ) asl in 
MAP.EVERY ASSUME.TAC 
(map 
(\thm . 

(SPEC "(key (rep : “ I.rep.ty ) 

(select rep 

(substate rep 

's * 

(time. shift 

(\st env. cycles rep(select rep st env)) 

(\t ’ . substate rep(s’ t’)) 

(\t’. subenv rep (e * t’)) t))) 

(subenv rep 
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(e * 

(time.shif t 

(\st env . cycles rep(select rep st env)) 

(\t ’ . substate rep(s’ t’)) 

(\t y . subenv rep ( e * t’)) t)))))” thm) ? 

(SPEC “(select (rep : " I_rep_ty) 

(substate rep 
(s * 

(t ime.shif t 

(\st env. cycles rep(select rep st env)) 

(\t * . substate rep(s > t 1 )) 

(\t ’ . subenv rep (e* t’)) t))) 

(subenv rep 
(e’ 

(time.shif t 

(\st env. cycles rep(select rep st env)) 

(\t ’ . substate rep(s’ t f )) 

(\t * . subenv rep (e’ t*)) t)))) M thm) ? 
thm) asl’)) 

THEN RES.TAC 

THEN POP.ASSUM (\thm. ASSUME.TAC (REWRITE.RULE [] 

(SPEC ”( time.shif t 

(\st env. cycles (rep : “ I.rep.ty ) (select rep st env)) 
(\t ’ . substate rep(s’ t’)) 

(\t ’ . subenv rep (e* t } )) t):time ,M thm))) 

THEN RES.TAC 

);; 

let I.CLOCK.LEMMA.EXPANDED = EXPAND.LET.RULE I.CLGCK.LEMMA ; ; 


let IMPL.I.CGRRECT * prove.thm 
(‘IMPL.I.CORRECT 1 , 

“let s “ (\t:time .(substate rep (s > t))) and 
e = (\t:time .(subenv rep (e 1 t))) in ( 

(Impl rep) s’ e * /\ 

((count (rep: " I.rep.ty) ) (s’ 0) (e’ 0) = (start rep)) =*> 

let f * time.shif t (\st env. (cycles rep (select rep st env))) s e in 

(INTERP rep) (s o f) (e o f))", 

EXPAND.LET.TAC 
THEN REPEAT GEN.TAC 

THEN PURE_REWRITE_TAC [INTERP. DEF.EXPANDED ; o.DEF] 

THEN STRIP. TAC 

THEN IMP. RES.TAC (PURE.ONCE_REWRITE.RULE [o.DEF] I.CLOCK.LEMMA.EXPANDED) 
THEN GEN.TAC 
THEN BETA.TAC 
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THEN PURE_ONCE.REWRITE.TAC 

[EXPAND .LET .RULE (REWRITE.RULE [ADDl] time. shift)] 
THEN BETA.TAC 

THEN PDP.ASSUM (\x. ASSUME.TAC (SPEC ,, t:tine ,n x)) 

THEN IHP.RES.TAC IMPL.NEXTSTATE.LEMMA.EXPANDED 

);; 


close. theoryO ; ; 


File: mk.aux.ral 

Description: Prove auxilliary theorems used in subsequent proofs. 

y 

system Vbin/rm aux.thms . th ‘ ; ; 
new.theory ‘aux. thins 1 ; ; 


X 

Auxilliary list definitions and theorems 


7 . 


let SET.EL. DEF * new_pr im_rec_def init ion 
( ‘ SET.EL.DEF* , 

''(SET.EL 0 (1st : (*)list) x = (CONS x (TL 1st))) /\ 

(SET.EL (SUC n) 1st x = (CONS (HD 1st) (SET.EL n (TL 1st) x))) M 

); ; 

let SET.EL * prove. thm 
( * SET.EL 1 , 

"! h t x . 

(SET. EL 0 (CONS h t) x = (CONS x t)) /\ 

(SET.EL (SUC n) (CONS h t) x = (CONS h (SET.EL n t x)))” t 

REPEAT GEN.TAC 

THEN REWRITE.TAC [SET.EL.DEF ; HD; TL] 

); ; 

let EL_.SET.EL * prove.thm 
( ‘ EL. SET.EL ‘ , 

M ! x n 1st . EL n (SET.EL n 1st x) = x", 

GEN.TAC 

THEN INDUCT.TAC 

THEN REWRITE. TAC [SET.EL. DEF; EL ; CONS ; TL ; HD] 

THEN LIST. INDUCT.TAC 
THENL [ 

POP.ASSUM (\x. ASSUME.TAC (SPEC n TL[] : (*) lis t " x)) 

ALL. TAC 

] 

THEN ASM.REWRITE.TAC [TL] 

);; 

close.theory ( ) ; ; 
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•/. 


File: threeval.ml 

Description: Defines a neu type ’triple’ with members ONE, TWO, 

THREE, used to instantiate *key in the EBM to Phase 
level proof of viper. 


7 . 


system ‘/bin/rm -f threeval . th* ; ; 
new_theory ‘threeval' ; ; 

let triple = define_type 'triple' 'triple = ONE I TWO I THREE*;; 

let y = prove.constructors.distinct triple;; 

let triple. induct = prove.induction.thm triple;; 

let triple.cases = prove.cases.thm triple.induct; ; 

let triple.value = new.def inition( 

‘triple. value* , 

" !x : triple . triple.value x = (x=0NE) => 0 I 

(x=TW0) => 1 | 

2 " 

);; 

let triple.VALUE.LEMMA = prove.thm 
( ‘ triple.VALUE.LEMMA ‘ , 

"(triple.value ONE = 0) /\ (triple.value TWO = 1) 

/\ (triple.value THREE « 2)", 

REWR1TE.TAC [triple.value] THEN 
STRIP. ASSUME. T AC y THEN 

ASSUM_LIST(\asl . REWRITE.TAC [NOT.EQ.SYM (el 1 asl); NOT.EQ.SYM (el 2 asl); 

NOT.EQ.SYM (el 3 asl)]) 

); : 

let triple. LENGTH.LEMMA = prove.thm 
(‘triple.LENGTH. LEMMA' , 

" • * : triple (11 12 13:»). triple.value x < (LENGTH [11; 12; 13])", 

REPEAT GEN.TAC THEN REWRITE.TAC [LENGTH] THEN 
REWRITE.TAC [triple. value] THEN 
COND.CASES.TAC THENL [ 

REWRITE.TAC [LESS .0] ; 

COND.CASES.TAC THENL [ 

CONV.TAC (TOP.DEPTH.CONV num.CONV ) 

THEN REWRITE.TAC [LESS.MONO.EQ ; LESS. 0] ; 
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CONV.TAC (TOP_DEPTH_CONV num_COMV) 

THEN REWRITE.TAC [LESS_HONO_EQ ; LESS_0] 


] 

] 




close_theory() ; ; 
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Appendix C: VIPER LEVEL SPECIFICATION 


X 


Prove that the macro level ==> cohn level 

X 

system '/bin/rm cohn.eqvaux . th' ; ; 

set.search.path (search. path( ) & lib.dir.list) ; ; 

loadf ‘abstract 4 ;; 

new.theory * cohn_eqvaux 1 ; ; 

new.parent ‘ aux.def ‘ ; ; 
new. parent * cohn_ viper 4 ; ; 
new. parent ‘ macro.def * ; ; 

let rep.ty = abstract.type ‘aux.def' ‘opcode 4 ;; 

let cohn. REG - definition 'cohn.viper' 'cohn.REG';; 

let cohn.INVALID * definition ‘cohn. viper' 1 cohn.INVALID' ; ; 

let write. reg E EXPAND. LET. RULE (definition ‘macro. def' ‘ write.reg ' ) ; ; 
let load.r *= EXPAND. LET.RULE (definition ‘macro. def' ‘load.r');; 

let cohn.NEXT = definition 'cohn. viper' ‘ cohn. NEXT' ; ; 
let cohn.NEXT. expanded = EXPAND. LET.RULE cohn.NEXT;; 


*/* register loads are eqv 7* 
let reg.eqv * prove.thm 
(‘reg.eqv 4 , 

'* ! (rep; “rep.ty ) (a:*vordn) (x:*wordn) (y:*wordn) (p:*wordn) 
(b:bool) (ram : ^memory ) . 

(cohn.REG rep (RSF rep(fetch rep(ram , address rep p)),a,x,y t 
add rep(p,vordn rep 1))) = 

(load.r rep (a, x, y, add rep (p, wordn rep 1), 
fetch rep (ram, address rep p))) n , 

REPEAT GEN.TAC 

THEN PURE.REWRITE.TAC [cohn.REG; load.r] 

THEN REPEAT (COND.CASES.TAC THEN ASM.REWRITE.TAC [PAIR.EQ] ) ) ; ; 

7. cohn.stop % 

let cohn.stop = prove.thm ( 

* cohn.stop' , 

"! (rep ; “rep.ty ) (a:*wordn) (x:*wordn) (y;*wordn) (p:*wordn) 
(brbool) (stop:bool) (ram : *raeinory ) . 


0-2 
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stop »*> 

(cohn„NEXT rep (a, x, y, p, b, stop, rain) 

* (a, x, y, p, b, T, ram))", 

REPEAT GEN.TAC 
THEN STRIP.TAC 

THEN ASM.REWRITE.TAC [cohn.NEXT.expanded] ) ; ; 


'/, cohii.no inc */♦ 

let cohn.noinc = prove. thin 

( ‘ cohn.no inc ‘ , 

M ! (rep: 'rep.ty) (a:*wordn) (x:*wordn) (y;*wordn) 

(p : +wordn) (b:bool) (stop:bool) (ram : ^memory ) . 
(let newp = (add rep (p, (wordn rep 1))) in 
((( 'valid. address rep newp) /\ 

('stop)) *=> 

(cohn.NEXT rep (a, x, y t p, b, stop, ram) 

= (a, x, y, newp, b, T, ram))))", 

REPEAT GEN.TAC 
THEN EXPAND.LET.TAC 
THEN STRIP.TAC 

THEN ASM.REWRITE.TAC [cohn.NEXT.expanded ; cohn.INVALID] ) ; ; 


V, write. reg.illegalpdest.aux */, 

let write.reg_illegalpdest.aux * prove.thm 

(‘ write. reg.illegalpdest _aux 4 , 

" i (rep: 'rep.ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stop:bool) (ir:*wordn) (ram : ♦memory ) 

(value : *vordn) (newb:bool). 

( ( (DSF rep ir) = (F,T,T)) \/ 

((DSF rep ir) * (T,F,F) ) \/ 

((DSF rep ir) * (T , F,T) ) ) 

==> 

(write. reg rep (a, x, y, p, b, stop, ir, 

ram, value, newb) 


= (a, x, y, p, b, T, ram))", 

REPEAT GEN.TAC THEN STRIP.TAC THEN 
ASM.REWRITE.TAC [write. reg; PAIR.EQ] ) ; ; 


let THREE.TUPLE.VALUE.LEMMA = theorem 1 tuple 1 1 THREE.TUPLE. VALUE. LEMMA 1 ; ; 

let three. tuple. value.lemma * (SPECL [ n b:bt3 M ] THREE.TUPLE.VALUE.LEMMA);; 

let bt3_remaining_lemma = prove.thm 
( ‘ bt3_remaining. lemma ‘ , 

" ! (b : bt 3 ) . 
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(( ' (b - (F,F,F))) /\ 

(*(b = (F.F.T))) /\ 

C(b = (F,T,F) ) ) /\ 

(' (b = (F,T,T) ) ) /\ 

(" (b = (T,F,F))) /\ 

C(b = (T,T , F) ) ) /\ 

('(b = (T,T,T) ) ) ) 

==> (b = (T , F,T) ) " , 

REPEAT GEN.TAC 
THEN STRIP.TAC 

THEN ASSUM.LIST (\asl. ASSUME.TAC (REWRITE.RULE [(el 1 asl) ; 
(el 2 asl); (el 3 asl); 

(el 4 asl) ; (el 5 asl) ; 

(el 6 asl); (el 7 asl)] 
three.tuple.value.lemraa) ) 

THEN ASM_REVRITE_TAC[] ) ; ; 


let TWO_TUPLE_VALUE_ LEMMA • theorem ‘tuple' 1 TWO_Tl)PLE_VALUE_LEMMA ' ; 

let tBo_tuple_value_lemma = (SPECL [ M b:bt2"] TWO_TUPLE_VALUE_LEMMA) ; 

let bt2_remaining_lemina = prove_thm 
( ‘bt2_remaining_lemma‘ , 

" ! (b:bt2) . 

(C(b = (F,F))) /\ 

('(b = (F,T) ) ) /\ 

C(b = (T,F) ) ) ) 

==> (b = (T ,T) ) " , 

REPEAT GEN.TAC 
THEN STRIP.TAC 

THEN ASSUM.LIST (\asl. ASSUME. TAC (REWRITE.RULE [(el 1 asl); 

(el 2 asl); (el 3 asl)] 

two.tuple.value.lemma) ) 

THEN ASM_REWRITE_TAC[] ) ; ; 


7 . 

Author: Tony Leung 

University of California, Davis 

Prove that the macro level ==> cohn level 

7 . 

system ‘/bin/rm cohn.TTFF_aux.th 1 ; ; 


set.search.path (search. path( ) « lib.dir.list) ; ; 


loadf ‘abstract 


new. theory 4 cohn.TTFF_aux‘ ; ; 

new.parent ‘ aux.def ‘ ; ; 
new.parent ‘cohn.viper*;; 
new.parent ‘macro.def 1 ; ; 

let rep.ty * abstract. type ‘aux.def' ‘opcode 1 ;; 


let cohn.ALU » EXPAND.LET.RULE (definition 'cohn.viper' 'cohn.ALU'); 

let cohn.SVAL « definition 'cohn.viper' ‘ cohn.SVAL 1 ; ; 

let cohn.BVAL “ definition 'cohn.viper' ' cohn.BVAL' ; ; 

let cohn.VALUE - definition 'cohn.viper' * cohn.VALUE ‘ ; ; 

let cohn.INVALID * definition 'cohn.viper' ‘ cohn.INVALID' ; ; 

let cohn.ILLEGALCALL = definition ‘cohn.viper 1 ‘cohn.ILLEGALCALL ;; 

let cohn.SPAREFUNC = definition 'cohn.viper' ' cohn.SPAREFUNC ;; 

let cohn. I LLEG ALPDEST - definition 'cohn.viper' ‘ cohn.ILLEGALPDEST' ; ; 

let cohn.WRITE » definition 'cohn.viper' ' cohn. WRITE ‘ ; 

let cohn.ILLEGALWRITE * definition 'cohn.viper' ‘ cohn.ILLEGALWRITE' ; ; 

let cohn.NILH » definition 'cohn.viper' ' cohn.NILM ‘ ; ; 

let cohn.NOOP » definition 'cohn.viper' ‘ cohn.NOOP ‘ ; 

let cohn.REG = definition 'cohn.viper' ‘cohn. REG';; 

let write.reg » EXPAND.LET.RULE (definition 'macro.def* * write.reg* ) ; 
let load.r = EXPAND.LET.RULE (definition 'macro.def' 'load.r');; 

let cohn.NEXT = definition ‘cohn.viper* ‘ cohn.NEXT' ; ; 
let cohn. NEXT. expanded * EXPAND.LET.RULE cohn.NEXT ; ; 

let write.reg » EXPAND.LET.RULE (definition ‘macro.def* ‘ unte.reg' ) ; 

% cohn.WRITE.TTFF */. 

let cohn.WRITE.TTFF » prove. thm 

(‘cohn.WRITE.TTFF* , 

" i (rep : "rep.ty) (a;»wordn) (x:»wordn) (y:*wordn) (p:*wordn) 

(b:bool) (ram: ♦memory) . 

(~ ( ( (DSF rep (fetch rep (ram, address rep p) ) ) 3 (T,T»T)) \/ 

((DSF rep (fetch rep (ram, address rep p) ) ) = (T,T,F)))) =*> 
(cohn.WRITE rep (DSF rep (fetch rep (ram, address rep p)), 

(CSF rep (fetch rep (ram, address rep p)))) 

= F) M , 

REPEAT GEN.TAC 
THEN STRIP. TAG 

THEN ASM.REWRITE.TAC [cohn.WRITE; PAIR.Eq] ) ; ; 
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% c ohn. i 1 legal call.TTFF % 

let cohn.illegalcall.TTFF * prove.thm 

( ‘ cohn.illegalcall.TTFF 1 , 

M ! (rep: "rep.ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stop:bool) (ram: ^memory) . 

(( (FSF rep (fetch rep (ram, address rep p))) * (T,T , F , F) ) 

«> ( (cohn_ILLEGALCALL rep 

((DSF rep (fetch rep (ram, address rep p))), 

(CSF rep (fetch rep (ram, address rep p))), / 

(FSF rep (fetch rep (ram, address rep p))))) - F)) M , 

REPEAT GEN.TAC 
THEN STRIP.TAC 

THEN ASM_REVRITE_TAC[cohn_ILLEGALCALL; PAIR.EQ] ) ; ; 


let cohn.NILK.TTFF * prove.thm 
( ‘ cohn.NILM.TTFF ‘ , 

"! (rep : ‘rep.t y ) (a:*wordn) (x:*wordn) (y:*wordn) (p:*vordn) 
(b:bool) (ram: *memory ) . 

(('(CSF rep (fetch rep (rata, address rep p)))) /\ 

("(DSF rep(fetch rep (ram , address rep p)) * T,T,T)> /\ 

('(DSF rep(fetch rep (ram , address rep p)) = T,T,F)) /\ 

(FSF rep (fetch rep (ram, address rep p)) = (T,T,F,F))) 

*»> (cohn.NILM rep ((DSF rep (fetch rep (ram, address rep p))), 
(CSF rep 

(fetch rep (ram, address rep p))), 

(FSF rep (fetch rep (ram, 
address rep p) ) ) ) 

» T) " » 

REPEAT GEN.TAC 
THEN STRIP.TAC 

THEN ASM.REWRITE.TAC [cohn.NILM ; PAIR.EQ]);; 


let cohn_sparefunc_TTFF *= prove, thm 
( ‘ cohn.sparefunc_TTFF‘ , 

" ! (rep: “rep.ty) (a:*wordn) (x:*wordn) (y:*uordn) (p:*wordn) (b:bool). 
((((FSF rep (fetch rep (ram, address rep p))) * (T ,T , F , F) ) ==> 

(cohn, SPARE FUNC rep ( 

(DSF rep (fetch rep (ram, address rep p))) P 

(CSF rep (fetch rep (ram, address rep p))J, 

(FSF rep (fetch rep (ram, address rep p)))) 

= F) ) ) n , 

REPEAT GEN.TAC 
THEN STRIP.TAC 

THEN ASM.REWRITE.TAC [cohn.SPAREFUNC ; PAIR.EQ] ) ; ; 
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% cohn_I LLEGALWRITE.TTFF % 

let cohn.ILLEGALWRITE.TTFF - prove.thm 

(‘cohn.ILLEGALWRITE.TTFF* , 

"i (rep: ~rep_ty) (a:*wordn) (x:*wordn) (y:*uordn) (p:*vordn) 
(b:bool) (ram : *memory) . 

(‘ ( ( (DSF rep (fetch rep (ram, address rep p))) = (T,T,T)) \/ 
((DSF rep (fetch rep (ram, address rep p))) * (T,T,F)))) **> 
(cohn.ILLEGALWRITE rep (DSF rep 
(fetch rep (ram, address rep p)), 

(CSF rep (fetch rep (ram, address rep p))), 

(MSP rep (fetch rep (ram, address rep p)))) 

* F)'\ 

REPEAT GEN. TAG THEN STRIP_TAC THEN 
IMP.RES.TAC cohn.WRITE.TTFF 

THEN ASM_REVRITE.TAC[PAIR_EQ; cohn.ILLEGALWRITE] ) ; ; 

'/. cohn.illegalpdest.TTFF.ill */> 

let cohn.illegalpdest.TTFF.ill « prove. thru 

( ‘ cohn.illegalpdest.TTFF.ill ‘ , 

"! (rep: “rep.ty) (a:*vordn) (x:*wordn) (y:*wornd) (p:*wordn) 
(b:bool) (ram :* memory ) . 

((*CSF rep (fetch rep (ram, address rep p))) /\ 

(FSF rep (fetch rep (ram, address rep p)) = (T,T,F,F)) /\ 
((DSF rep (fetch rep (ram, address rep p)) = (F,T,T)) \/ 

(DSF rep (fetch rep (ram, address rep p)) = (T,F,F)) \/ 

(DSF rep (fetch rep (ram, address rep p)) * (T,F,T)))) 

*»> ((cohn.ILLEGALPDEST rep (DSF rep 
(fetch rep (ram, address rep p)), 

CSF rep (fetch rep (ram, address rep p)), 

FSF rep (fetch rep (ram, address rep p)))) 

* T)'\ 

REPEAT GEN.TAC 
THEN STRIP.TAC 

THEN ASM_REWRITE_TAC[PAIR_EQ ; cohn.ILLEGALPDEST]);; 

'/, cohn.illegalpdest.TTFF.pass 7, 

let cohn.illegalpdest.TTFF.pass = prove.thm 

(‘cohn.illegalpdest.TTFF.pass 1 , 

" ! (rep: ~rep_ty) (a:*wordn) (x:*wordn) (y : *wornd) (p:*wordn) 
(b:bool) (ram : *memory ) . 
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( ( “CSF rep (fetch rep (ram, address rep p))) /\ 

(FSF rep (fetch rep (ram, address rep p) ) = (T , T, F , F) ) /\ 

( (DSF rep (fetch rep (ram, address rep p)) = (F , F , F) ) \/ 

(DSF rep (fetch rep (ram, address rep p)) = (F , F,T) ) \/ 

(DSF rep (fetch rep (ram, address rep p) ) = ( F , T , F) ) ) ) 

==> ( (cohn_ILLEGALPDEST rep (DSF rep (fetch rep 
(ram, address rep p)), 

CSF rep (fetch rep (ram, address rep p)), 

FSF rep (fetch rep (ram, address rep p)))) 

= F)", 

REPEAT GEN.TAC 
THEN STRIP.TAC 

THEN ASM_REWRITE_TAC [PAIR_EQ ; colm_ ILLEGALPDEST] ; ; ; 

let cohn_TTFF_FFF_aux = prove_thm 
( ‘ cohn_TTFF_FFF_aux 4 , 

"• (rep: ~rep_ty) (a:*wordn) (x:*wordn) (y:*vordn) 

(p : *wordn) (b:bool) (stoprbool) (ram : ^memory ) . 

(let fsf * (FSF rep (fetch rep (ram, address rep p))) in 

let dsf - (DSF rep (fetch rep (ram, address rep p))) in 

let msf = (MSF rep (fetch rep (ram, address rep p))) in 

let rsf s (RSF rep (fetch rep (ram, address rep p))) in 

let csf = (CSF rep (fetch rep (ram, address rep p))) in 

let addr = (address rep (fetch rep (ram, address rep p))) in 
let newp * (add rep (p, wordn rep 1)) in 
let io « ( (cohn_OUTPUT rep (dsf, csf)) \/ 

(cohn_INPUT rep (dsf, csf, fsf))) in 
let r s cohn_REG rep (rsf, a, x, y, newp) in 
let m * cohn_MEMREAD rep (ram, msf, addr, x, 
y, io, cohn_NILM rep (dsf, csf, fsf)) m 
let aluout * cohn_ALU rep (fsf, msf, dsf, r, m, b) in 
let newp * (add rep (p, vordn rep 1)) in 
(((“stop) A 
(“csf) A 

(valid_address rep newp) A 
(“(dsf - (T,T,T) ) ) /\ 

(’(dsf * (T,T , F) ) ) /\ 

(dsf = (F , F, F) ) /\ 

(fsf = (T,T,F, F) ) ) ==> 

(cohn_NEXT rep (a, x, y, p, b, F, ram) = 

(cohn_VALUE aluout, x, y, newp, 
cohn_BVAL aluout, cohn.SVAL aluout, 
ram) ) ) ) " , 


REPEAT GEN.TAC 
THEN EXPAND_LET_TAC 
THEN STRIP_TAC 

THEN (PURE.REWRITE.TAC [cohn.NEXT.expanded] 

THEN IMP.RES.TAC cohn.illegalcall.TTFF 
THEN IMP.RES.TAC cohn.NILM.TTFF 
THEN IMP.RES.TAC cohn.ILLEGALURITE.TTFF 
THEN IMP.RES.TAC cohn.WRITE.TTFF 
THEN IMP.RES.TAC cohn.illegalpdest.TTFF.ill 
THEN IMP.RES.TAC cohn.illegalpdest.TTFF.pass 
THEN IMP.RES.TAC cohn.sparefunc.TTFF 
THEN ASM.REWRITE.TAC [ 

cohn.NOOP; cohn.INVALID; cohn.WRITE; cohn.ILLEGALWRITE; 
cohn_SPAREFUNC ; 

PAIR_EQ] ) ) ; ; 

let cohn_TTFF_FFT_aux * prove_thm 
( ‘ cohn_TTFF_FFT_aux ‘ * 

"i (rep: ~rep_ty) (a:*wordn) (x:*uordn) (y:*vordn) 

(p:*uordn) (b:bool) (stoprbool) (ram : ♦memory ) . 

(let fsf * (FSF rep (fetch rep (ram, address rep p))) in 

let dsf - (DSF rep (fetch rep (ram, address rep p))) in 

let msf = (MSF rep (fetch rep (ram, address rep p))) in 

let rsf = (RSF rep (fetch rep (ram, address rep p))) in 

let csf = (CSF rep (fetch rep (ram, address rep p))) in 

let addr * (address rep (fetch rep (ram, address rep p))) in 
let newp = (add rep (p, wordn rep 1)) in 
let io = ( (cohn.OUTPUT rep (dsf, csf)) \/ 

(cohn_ INPUT rep (dsf, csf, fsf))) in 
let r = cohn.REG rep (rsf, a, x, y, newp) in 
let m * cohn_MEMREAD rep (ram, msf , addr, x, 
y, 10 , cohn_NILM rep (dsf, csf, fsf)) in 
let aluout = cohn.ALU rep (fsf, msf , dsf, r, u, b) in 
let newp = (add rep (p, wordn rep 1)) in 
((('stop) /\ 

('csf) /\ 

(valid_address rep newp) /\ 

('(dsf - (T ,T ,T) ) ) /\ 

('(dsf * (T ,T ,F) ) ) /\ 

(dsf = (F, F,T) ) /\ 

(fsf = (T,T , F ,F) ) ) ==> 

(cohn.NEXT rep (a, x, y, p, b, F, ram) = 

(a, cohn_VALUE aluout, y, newp, 
cohn_BVAL aluout, cohn.SVAL aluout, 
ram) ) ) )" , 
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REPEAT GEN_TAC 
THEN EXPAND__LET_TAC 
THEN STRIP.TAC 

THEN (PURE_REWRITE_TAC [cohn_NEXT_expanded] 

THEN IMP_RES_TAC cohn.illegalcall.TTFF 
THEN IMP_RES_TAC cohn_N ILM.TTFF 
THEN IMP_RES_TAC cohn_ I LLEGALWRITE_TTFF 
THEN IMP.RES.TAC cohn_WRITE_TTFF 
THEN IMP_RES_TAC cohn_illegalpdest_TTFF_ill 
THEN IMP_RES_TAC cohn_illegalpdest_TTFF_pass 
THEN IMP.RES.TAC cohn_sparef unc_TTFF 
THEN ASM_REWRITE_TAC [ 

cohn_NQ0P; cohn.INVALID ; cohn_WRITE; cohn.ILLEGALWRITE; 
cohn.SPAREFUNC; 

PAIR_EQ] ) ) ; ; 


let cohn_TTFF_FTF_aux = prove_thm 
( ‘ cohn_TTFF_FTF_aux 1 , 

" ! (rep : "rep_ty) (a:*wordn) (x:*wordn) (y : *vordn) 
(p:*vordn) (b:bool) (stop:bool) (ram :* memory ) . 

(let fsf = (FSF rep (fetch rep (ram, address rep p))) in 

let dsf = (DSF rep (fetch rep (ram, address rep p))) in 

let msf = (MSF rep (fetch rep (ram, address rep p))) m 

let rsf = (RSF rep (fetch rep (ram, address rep p))> in 

let csf = (CSF rep (fetch rep (ram, address rep p))) in 

let addr = (address rep (fetch rep (ram, address rep p))) 
let newp = (add rep (p, wordn rep 1)) in 
let io » ((cohn.OUTPUT rep (dsf, csf)) \/ 

(cohn_INPUT rep (dsf, csf, fsf))) in 
let r = cohn_REG rep (rsf, a, x, y, newp) in 
let m 35 cohn.MEMREAD rep (ram, msf, addr, x, 
y, io, cohn_NI LM rep (dsf, csf, fsf)) in 
let aluout = cohn_ALU rep (fsf, msf, dsf, r, m, b) in 
let newp = (add rep (p, wordn rep 1)) in 
(((‘stop) /\ 

(’csf) /\ 

(valid.address rep newp) A 
('(dsf = (T,T,T) ) ) A 
('(dsf = (T ,T , F ) ) ) /\ 

(dsf = (F , T , F) ) /\ 

(fsf = (T ,T , F , F) ) ) «> 

(cohn.NEXT rep (a, x, y, p, b, F, ram) = 

(a, x, cohn_VALUE aluout, newp, 
cohn.BVAL aluout, cohn.SVAL aluout. 


ram))))”, 

REPEAT GEN.TAC 
THEN EXPAND. LET.TAC 
THEN STRIP.TAC 

THEN (PURE.REWRITE.TAC [cohn.NEXT.expanded] 

THEN IMP.RES.TAC cohn.illegalcall.TTFF 
THEN IMP.RES.TAC cohn.NILM.TTFF 
THEN IMP.RES.TAC cohn. ILLEGALWRITE.TTFF 
THEN IMP_RES_TAC cohn.WRITE.TTFF 
THEN IMP.RES.TAC cohn.illegalpdest_TTFF.ill 
THEN IMP.RES.TAC cohn.illegalpdest.TTFF.pass 
THEN IMP.RES.TAC cohn.sparefunc.TTFF 
THEN ASM.REWRITE.TAC [ 

cohn.NOOP ; cohn. INVALID; cohn.WRITE; cohn.ILLEGALWRITE; 
cohn.SPAREFUNC ; 

PAIR.EQ] ) ) ; ; 


let cohn.TTFF.FTT.aux - prove. thm 
( 4 cohn.TTFF.FTT.aux ‘ , 

(rep: ‘rep.ty) (a:*wordn) (x;*wordn) (y:*wordn) 

(p: *wordn) (b:bool) (stopibool) (ram ; *memory ) 

(let fsf * (FSF rep (fetch rep (ram, address rep p))) in 

let dsf * (DSF rep (fetch rep (ram, address rep p))) in 

let msf = (MSF rep (fetch rep (ram, address rep p))) m 

let rsf * (RSF rep (fetch rep (ram, address rep p))) in 

let csf « (CSF rep (fetch rep (ram, address rep p))) in 

let addr = (address rep (fetch rep (ram, address rep p))) in 
let newp * (add rep (p, wordn rep 1)) in 
let io * ( (cohn. OUTPUT rep (dsf, csf )) \/ 

(cohn.INFUT rep (dsf, csf, fsf))) in 
let r * cohn. REG rep (rsf, a, x, y, newp) in 
let u * cohn.MEMREAD rep (ram, msf, addr, x, 
y, io, cohn.NILM rep (dsf, csf, fsf)) in 
let aluout * cohn.ALU rep (fsf, msf, dsf, r, m , b) in 
let newp * (add rep (p, wordn rep 1)) in 
((('stop) /\ 

("csf) /\ 

(val id.address rep newp) /\ 

(“(dsf * (T ,T,T) ) ) /\ 

(“(dsf * (T,T , F) ) ) /\ 

(dsf = (F,T ,T) ) /\ 

(fsf * ( T , T , F , F ) ) ) ==> 

(cohn. NEXT rep (a, x, y, p, b, F, ram) = 

(a, x, y, newp, b, T, ram))))", 
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REPEAT GEN.TAC 
THEN EXPAND.LET.TAC 
THEN STRIP.TAC 

THEN (PURE.REWRITE.TAC [cohn.NEXT.expanded] 

THEN IMP_RES_TAC cohn.illegalcall.TTFF 
THEN IMP.RES.TAC cohn.NI LM.TTFF 
THEN IMP.RES.TAC cohn_ I LLEGALWRITE.TTFF 
THEN IMP_RES_TAC cohn.WRITE.TTFF 
THEN IMP.RES.TAC cohn_illegalpdest _TTFF_ill 
THEN IMP.RES.TAC cohn.illegalpdest.TTFF.pass 
THEN IMP_RES_TAC cohn.sparef unc.TTFF 
THEN ASM.REWRITE.TAC [ 

cohn.NOOP; cohn.INVALID ; cohn_WRITE; cohn.ILLEGALWRITE ; 
cohn.SPAREFUNC ; 

PAIR.EQ])); ; 


let cohn_TTFF_TFF_aux = prove. thm 
( 1 cohn_TTFF_TFF_aux 1 , 

" ' (rep: “rep.ty) (a:*wordn) (x;*wordn) (y:*wordn) 

(p : *wordn) (brbool) (stopibool) (ram : *memory) 

(let fsf = (FSF rep (fetch rep (ram, address rep p))) in 

let dsf = (DSF rep (fetch rep (ram, address rep p))) in 

let msf = (MSF rep (fetch rep (ram, address rep p))) in 

let rsf = (RSF rep (fetch rep (ram, address rep p))) in 

let csf = (CSF rep (fetch rep (ram, address rep p))) in 

let addr = (address rep (fetch rep (ram, address rep p))) in 
let newp = (add rep (p , vordn rep 1)) m 
let io * ((cohn_ OUTPUT rep (dsf, csf)) \/ 

(cohn_ INPUT rep (dsf, csf, fsf))) in 
let r = cohn.REG rep (rsf, a, x, y, newp) in 
let m = cohn.MEMREAD rep (ram, msf, addr, x, 
y, io, cohn.NILM rep (dsf, csf, fsf)) in 
let aluout = cohn.ALU rep (fsf, msf, dsf, r, m, b) in 
let newp = (add rep (p, wordn rep 1)) in 
( ( ("stop) /\ 

(‘csf) /\ 

(valid. address rep newp) A 
('(dsf * (T.T.T) )) /\ 

('(dsf = (T, T , F) ) ) A 

(dsf = (T , F, F) ) A 
(fsf = (T,T , F , F) ) ) ==> 

(cohn.NEXT rep (a, x, y, p, b, F, ram) = 

(a, x, y, newp, b, T, ram))))", 

REPEAT GEN.TAC 


THEN EXPAND.LET.TAC 
THEN STRIP.TAC 

THEN (PURE.REWRITE.TAC [cohn.NEXT.expanded] 

THEN IMP.RES.TAC cohn.illegalcall.TTFF 
THEN IMP.RES.TAC cohn.NILM.TTFF 
THEN IMP.RES.TAC cohn.I LLEGALWRITE.TTFF 
THEN IMP.RES.TAC cohn.WRI TE.TTFF 
THEN IMP.RES.TAC cohn.illegalpdest.TTFF.ill 
THEN IMP.RES.TAC cohn.illegalpdest.TTFF.pass 
THEN IMP.RES.TAC cohn.sparefunc.TTFF 
THEN ASM.REVRITE.TAC [ 

cohn.NOOP; cohn.INVALID; cohn.WRITE; cohn.ILLEGALWRITE; 
cohn.SPAREFUNC ; 

PAIR.EQ] ) ) ; ; 


let cohn_TTFF.TFT.aux = prove.thm 
( 1 cohn.TTFF.TFT.aux ‘ , 

"! (rep : "rep.ty ) (a:*wordn) (x:*wordn) (y:*wordn) 

(p : *wordn) (b:bool) (stop:bool) (ram : *memory) . 

(let fsf * (FSF rep (fetch rep (ram, address rep p))) in 

let dsf * (DSF rep (fetch rep (ram, address rep p))) in 

let nsf - (MSF rep (fetch rep (rain, address rep p))) in 

let rsf * (RSF rep (fetch rep (ram, address rep p))) in 

let csf * (CSF rep (fetch rep (ram, address rep p))) in 

let addr - (address rep (fetch rep (ram, address rep p))) in 
let newp * (add rep (p, wordn rep 1)) in 
let io - ( (cohn.OUTPUT rep (dsf, csf)) \/ 

(cohn. INPUT rep (dsf, csf, fsf))) in 
let r * cohn.REG rep (rsf, a, x, y, newp) in 
let n * cohn.MEMREAD rep (ram, msf, addr, x, 
y, io, cohn.NILM rep (dsf, csf, fsf)) in 
let aluout * cohn. ALU rep (fsf, msf, dsf, r, m, b) in 
let newp * (add rep (p, wordn rep 1)) in 
(((“stop) /\ 

(“csf) /\ 

( valid.address rep newp) /\ 

(“(dsf - (T ,T ,T) ) ) /\ 

(“(dsf - (T ,T , F) ) ) /\ 

(dsf * (T ,F ,T) ) /\ 

(fsf * (T ,T ,F , F) ) ) «> 

(cohn.NEXT rep (a, x, y, p, b, F, ram) “ 

(a, x, y, newp, b, T, ram))))", 

REPEAT GEN. TAG 
THEN EXPAND.LET.TAC 
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THEN STRIP.TAC 

THEN (PURE.REWRITE.TAC [cohn.NEXT.expanded] 

THEN IMP.RES.TAC cohn.illegalcall.TTFF 
THEN IMP.RES.TAC cohn_NILM_TTFF 
THEN IMP.RES.TAC cohn.ILLEGALWRITE.TTFF 
THEN IMP.RES.TAC cohn.WRITE.TTFF 
THEN IMP.RES.TAC cohn_illegalpdest.TTFF.ill 
THEN IMP.RES.TAC cohn.illegalpdest_TTFF.pass 
THEN IMP.RES.TAC cohn.sparef unc.TTFF 
THEN ASM.REWRITE.TAC [ 

cohn.NOOP ; cohn. INVALID ; cohn. WRITE; cohn.ILLEGALWRITE; 
cohn.SPAREFUNC ; 

PAIR.EQ])); ; 


quit () ; ; 


X 

let cohn.TTFF.aux * prove.thm 
( * cohn.TTFF.aux 1 , 

" ! (rep : "rep.ty) (a:*vordn) (x:*vordn) (y:*vordn) 

(p : *vordn) (b:bool) (stop:bool) (ram : *memory) . 

(let fsf * (FSF rep (fetch rep (ram, address rep p))) in 

let dsf « (DSF rep (fetch rep (ram, address rep p))) in 

let msf * (MSF rep (fetch rep (ram, address rep p))) in 

let rsf * (RSF rep (fetch rep (ram, address rep p))) in 

let csf * (CSF rep (fetch rep (ram, address rep p))) in 

let addr = (address rep (fetch rep (ram, address rep p))) in 
let nevp = (add rep (p, vordn rep 1)) in 
let io * ( (cohn.OUTPUT rep (dsf, csf)) \/ 

(cohn. INPUT rep (dsf, csf, fsf))) in 
let r * cohn.REG rep (rsf, a, x, y, nevp) in 
let d * cohn.MEMREAD rep (ram, rasf , addr, x, 
y, io, cohn.NILM rep (dsf, csf, fsf)) in 
let aluout ■ cohn. ALU rep (fsf, msf, dsf, r, m, b) in 
let nevp * (add rep (p, vordn rep 1)) in 
((('stop) /\ 

(“csf) /\ 

(valid. address rep nevp) /\ 

('(dsf * (T,T,T) ) ) /\ 

('(dsf - (T,T,F) ) ) /\ 

((dsf = (F, F , F) ) \/ 

(dsf * (F,F,T) ) \/ 

(dsf - (F.T , F) ) \/ 


(dsf = (F,T,T) ) \/ 

(dsf = (T,F,F) ) \/ 

(dsf - (T # F,T) ) ) /\ 

(fsf - (T,T , F , F) ) ) «> 

(cohn.NEXT rep (a, x, y, p, b, stop, ram) = 

((dsf - (F , F , F) ) 

«> (cohn.VALUE aluout , x, y, newp, 
cohn.BVAL aluout, cohn.SVAL aluout, 
ram) I 

((dsf = (F,F,T) ) 

-> (a, cohn.VALUE aluout, y, newp, 
cohn.BVAL aluout, cohn.SVAL aluout, 
ram) I 

((dsf * (F,T , F) ) 

=> (a, x, cohn.VALUE aluout, newp, 
cohn.BVAL aluout, cohn.SVAL aluout, 
ram) I 

(a, x, y, newp, b, T, ram) )))))) M , 

REPEAT GEN.TAC 
THEN EXPAND.LET.TAC 
THEN STRIP.TAC 

THEN (PURE.REWRITE.TAC [cohn.NEXT.expanded] 

THEN IMP.RES.TAC cohn.illegalcall.TTFF 
THEN IMP.RES.TAC cohn.NILM.TTFF 
THEN IMP.RES.TAC cohn.ILLEGALWRITE.TTFF 
THEN IMP.RES.TAC cohn.VRITE.TTFF 
THEN IMP.RES.TAC cohn.il legalpdest.TTFF.ill 
THEN IMP.RES.TAC cohn.illegalpdest_TTFF.pass 
THEN IMP.RES.TAC cohn.sparef unc.TTFF 
THEN ASM.REWRITE.TAC [ 

cohn.NOOP; cohn. INVALID; cohn.WRITE; cohn.ILLEGALWRITE; 
cohn.SPAREFUNC ; 

PAIR.EQ] ) ) ; ; 

7 , 

7 . 

Author: Tony Leung 

University of California, Davis 

Prove that the macro level =*> cohn level 

7 . 

system ‘/bin/rm cohn.shlb. th* ; ; 

set .search.path (search_path( ) <0 1 ib_dir_l ist ) ; ; 
loadf ‘abstract*;; 
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new.theory ‘ cohn.shlb ‘ ; ; 


new.parent 4 aux_def 4 ;; 
new.parent 4 cohn.viper 4 ; ; 
ne»_parent ‘ macro.def ‘ ; ; 
ne»_parent 4 cohn_TTFF_aux ‘ ; ; 
new.parent ‘ cohn.eqvaux ‘ ; ; 

let rep.ty = abstract. type 4 aux.def 4 ‘opcode 4 ;; 

let cohn_ALU = EXPAND.LET.RULE (definition ‘cohn.viper 4 ‘ cohn_ALU‘ ) ; ; 

let cohn.SVAL = definition ‘cohn.viper 4 4 cohn.SVAL 4 ; ; 

let cohn.BVAL = definition 4 cohn_viper‘ ‘cohn.BVAL 4 ; ; 

let cohn.VALUE * definition ‘cohn.viper 4 ‘ cohn_VALUE ‘ ; ; 

let cohn.INVALID = definition ‘cohn.viper 4 4 cohn.INVALID 4 ; ; 

let cohn. ILLEGALCALL = definition ‘cohn.viper 4 4 cohn.ILLEGALCALL 4 ; ; 

let cohn_ SPARE FUNC = definition 'cohn. viper 4 4 cohn.SPAREFUNC ‘ ; ; 

let cohn.ILLEGALPDEST = definition ‘cohn.viper 4 4 cohn.ILLEGALPDEST 4 ; ; 

let cohn.WRITE = definition 4 cohn_viper‘ 4 cohn.WRITE 4 ; ; 

let cohn.ILLEGALWRITE = definition ‘cohn.viper 4 4 cohn.I LLEGALWRITE 4 ; ; 

let cohn.NILM = definition 4 cohn_viper 4 * cohn.NILM 4 ; ; 

let cohn_NQ0P * definition 4 cohn_viper 4 4 cohn_N00P 4 ; ; 

let cohn.REG = definition ‘cohn.viper 4 ‘cohn.REG 4 ;; 

let bt3_remaining_lemma = theorem 4 cohn.eqvaux 4 4 bt3_remaining_lemma 4 ; ; 

let reg_eqv = theorem 4 cohn.eqvaux 4 ‘reg.eqv 4 ;; 

let cohn.stop = theorem 4 cohn.eqvaux 4 4 cohn.stop 4 ; ; 

let cohn.noinc * theorem 4 cohn_eqvaux 4 4 cohn.noinc 4 ; ; 

let SHLB = definition ‘macro.def 4 ‘ SHLB 4 ; ; 

let write.reg = EXPAND.LET.RULE (definition 'macro.def 4 4 vrite.reg 4 ) ; ; 
let load_r * EXPAND_LET_RULE (definition 4 macro_def‘ ‘load.r 4 );; 

let write_reg_illegalpdest_aux - 

theorem 4 cohn.eqvaux 4 4 wri te.reg_illegalpdest.aux 4 ; ; 

•/. cohn.ALU.TTFF.TT */. 

let cohn.ALU.TTFF.TT = prove.thm 

( 4 cohn.ALU.TTFF.TT 4 , 

14 ! (rep: “rep. ty) (fsf:bt4) (msf:bt2) 

(dsf:bt3) (r:*wordn) (m:*wordn) (b:bool) . 

(((fsf = (T,T, F,F) ) /\ (msf = (T,T) )) ==> 

(let pwrite - ((dsf - (F,T t T) ) \/ ((dsf * (T,F, F) ) \/ 

(dsf * <T,F,T)))) in 
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(cohn.ALU rep (f sf , msf, dsf, r, m, b) 

* (shlb rep (r, b) , (bitn rep r) , pwr ite ) ) ) ) " , 

REPEAT GEN.TAC 
THEN STRIP.TAC 
THEN EXPAND.LET.TAC 

THEN ASM.REWRITE.TAC [cohn.ALU ; PAIR.EQ] ) ; ; 

7. cohn.ALU_TTFF.TT_ VALUE 7. 

let cohn_ALU.TTFF.TT. VALUE = prove. thm 

( ‘ cohn.ALU_TTFF.TT_ VALUE ‘ , 

"! (rep: “rep.ty) (fsf:bt4) (msf:bt2) 

(dsf:bt3) (r:*vordn) (m:*wordn) (b.bool) . 

(((fsf * (T,T,F, F) ) /\ (msf = (T,T) )) =-> 

(let perite - ((dsf = (F,T,T)) \/ ((dsf = (T,F,F) ) \/ 
(dsf - (T,F ,T) ) ) ) in 

let aluout * cohn.ALU rep (fsf, msf, dsf, r, m, b) in 
(cohn.VALUE aluout = (shlb rep (r,b)))))", 

REPEAT GEN.TAC 
THEN STRIP.TAC 
THEN EXPAND.LET.TAC 

THEN IMP.RES.TAC (EXP AND. LET. RULE cohn_ALU.TTFF.TT) 
THEN ASM.REWRITE.TAC [cohn. VALUE] ; 


7, cohn_ALU.TTFF.TT.BVAL 7. 

let cohn.ALU.TTFF.TT.BVAL 15 prove. thm 

( ‘ cohn.ALU.TTFF_TT.BVAL‘ , 

" ! (rep: "rep.ty) (fsf:bt4) (msf:bt2) 

(dsf:bt3) (r:*wordn) (m:*wordn) (b:bool) . 

(((fsf * (T ,T , F, F) ) /\ (msf = (T ,T) ) ) =-> 

(let pwrite * ((dsf = (F ,T ,T) ) \/ ((dsf = ( T , F , F ) ) \/ 
(dsf - (T,F,T) ) ) ) in 

let aluout * cohn.ALU rep (fsf, msf, dsf, r, in, b) in 

(cohn.BVAL aluout = (bitn rep r) )))*', 

REPEAT GEN.TAC 
THEN STRIP.TAC 
THEN EXPAND.LET.TAC 

THEN IMP.RES.TAC (EXPAND. LET. RULE cohn_ALU.TTFF.TT) 
THEN ASM.REWRITE.TAC [cohn.BVAL]);; 


7, cohn.ALU_TTFF_TT.SVAL 7, 

let cohn.ALU_TTFF_TT.SVAL = prove.thiu 

( ‘ cohn.ALU.TTFF.TT.SVAL* , 

M ! (rep: “rep.ty) (fsf:bt4) (msf:bt2) 
(dsf:bt3) (r:*wordn) (m:*wordn) (b:bool) . 
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(((fsf = (T,T,F, F) ) /\ (msf = (T,T) ) ) ==> 

(let pwrite = ((dsf = (F,T ,T) ) \/ ((dsf = (T, F, F) ) \/ 
(dsf * (T P F,T) ) ) ) in 

let aluout * cohn.ALU rep (fsf, msf, dsf, r, m, b) in 
(cohn.SVAL aluout * pwrite)))", 

REPEAT GEN.TAC 
THEN STRIP.TAC 
THEN EXPAND.LET.TAC 

THEN IMP_RES_TAC (EXPAND.LET.RULE cohn.ALU.TTFF.TT) 
THEN ASM.REWRITE.TAC [cohn.SVAL] ) ; ; 


let cohn.ALU.TTFF.TT. FFF.SVAL.aux 
■ EXPAND. LET_ RULE (REWRITE.RULE [PAIR.EQ] 

(SPECL ["rep : "rep.ty" ; " (T , T , F , F) " ; "(T ,T) " ; "(F,F,F) n ; 
load.r (rep: rep.ty) (a, x, y, add rep (p, wordn rep 1), 
fetch rep (ram, address rep p))"; 

cohn.MEMREAD (rep: rep_ty) (ram, (T,T), address rep 
(fetch rep (ram, address rep p)) f x, y, 

(cohn. OUTPUT rep( (F, F , F) ,F) \/ 
cohn. INPUT rep ( (F , F , F) , F ,T , T, F, F) ) , 
cohn.NILM rep((F, F,F) , F , T, T , F , F) ) " ; 

"b :bool M ] 

cohn_ALU_TTFF.TT.SVAD); ; 

let cohn_ALU_TTFF_TT.FFF_BVAL.aux 
* EXPAND. LET.RULE (REWRITE.RULE [PAIR.EQ] 

(SPECL ["rep: "rep.ty” ; " (T ,T,F, F)" ; ” (T , T) ” ; " (F , F , F) " ; 
load.r (rep: rep_ty) (a, x, y, add rep (p, wordn rep 1), 
fetch rep (ram, address rep p)) M ; 
cohn.MEMREAD (rep: rep.ty) (ram, (T,T), address rep 
(fetch rep (ram, address rep p)), x, y, 

(cohn.OUTPUT rep( (F,F,F) ,F) \/ 
cohn. INPUT rep((F,F,F) ,F,T,T,F,F)) , 
cohn.NILM rep( (F,F,F),F,T,T,F,F))"; 

"b :bool M ] 

cohn. ALU. TTFF.TT.BVAL) ) ; ; 


let cohn_ALU.TTFF_TT_FFF_VALUE.aux 
* EXP AND.LET.RULE (REWRITE.RULE [PAIR.EQ] 

(SPECL ["rep : "rep.ty” ; "(T ,T, F,F)" ; " (T,T) " ; " (F, F ,F) " ; 
load.r (rep: rep.ty) (a, x, y, add rep (p, wordn rep 1), 


fetch rep (ram, address rep p))"; 

"cohn.MEMREAD (rep: 'rep.ty) (ram, (T,T) , address rep 
(fetch rep (ram, address rep p)), x, y, 

(cohn.OUTPUT rep((F,F,F) ,F) \/ 
cohn.INPUT rep((F,F,F),F,T,T,F.F)), 
cohn.NILM rep((F,F ,F) ,F,T,T ,F,F) )" ; 

”b:bool"] 

cohn.ALU.TTFF.TT.VALUE) ) ; ; 


let cohn_AHJ.TTFF_TT_FFT_SVAL.aux 
= EXPAND.LET.RULE (REWRITE.RULE [PAIR.EQ] 

(SPECL ["rep: ‘rep.ty" ; "(T,T,F,F)"; "(T,T)"; " (F , F.T) " ; 
"load.r (rep :" rep.ty ) (a, x, y, add rep (p, woidn rep 1), 
fetch rep (ram, address rep p))“; 

"cohn.MEMREAD (rep: 'rep.ty ) (ram, (T,T), address rep 
(fetch rep (ram, address rep p ) ) , x, y. 

(cohn.OUTPUT rep((F,F,T) ,F) \/ 
cohn.INPUT rep((F,F,T),F,T,T,F,F)), 
cohn.NILM rep( (F,F ,T) ,F ,T,T , F , F) ) " ; 

"b:bool”] 

cohn.ALU_TTFF_TT.SVAL) ) ; ; 


let cohn_ALU_TTFF_TT.FFT.BVAL.aux 
» EXPAND.LET.RULE (REWRITE.RULE [PAIR.EQ] 

(SPECL ["rep: 'rep.ty"; "(T,T,F,F)"; "(T,T)"; "(F.F.T)"; 
"load.r (rep: 'rep.ty) (a, x, y, add rep (p, vordn rep 1.) , 
fetch rep (ram, address rep p))"; 

"cohn.MEMREAD (rep: "rep.ty) (ram, (T,T), address rep 
(fetch rep (ram, address rep p)), x, y, 

(cohn.OUTPUT rep( (F , F.T) ,F) \/ 
cohn.INPUT rep( (F.F.T) ,F,T,T,F,F)> , 
cohn.NILM rep((F,F,T),F,T,T,F,F))"; 

"b:bool"] 

cohn_ALU.TTFF_TT.BVAL) ) ; ; 


let cohn.ALU_TTFF_TT_FFT.VALUE.aux 
= EXPAND.LET.RULE (REWRITE.RULE [PAIR.EQ] 

(SPECL ["rep: 'rep.ty" ; "(T.T.F.F)"; "(T ,T) " ; "(F.F.T)"; 
"load.r (rep: 'rep.ty) (a, x, y, add rep (p, uordn rep 1), 
fetch rep (ram, address rep p))"; 
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"cohn.MEMREAD (rep : ‘rep.ty) (ram, (T,T), address rep 
(fetch rep (ram, address rep p)), x, y, 

(cohn.OUTPUT repUF.F.T) ,F) \/ 
cohn.INPUT rep( (F , F ,T) , F ,T ,T , F , F ) ) , 
cohn.NILM rep((F,F,T) , F.T.T.F.F) )" ; 

"b:bool"] 

cohn_ALU_TTFF_TT_ VALUE) ) ; ; 

let cohn.ALU_TTFF_TT_FTF_SVAL.aux 
■ EXP AND. LET. RULE (REWRITE. RULE [PAIR.EQ] 

(SPECL ["rep: "rep.ty" ; "(T.T.F.F)"; "(T,T) M ; "(F,T,F)"; 
"load.r (rep: rep.ty) (a, x, y, add rep (p, wordn rep 1), 
fetch rep (ram, address rep p))"; 

"cohn.MEHREAD (rep : "rep.ty ) (ram, (T,T), address rep 
(fetch rep (ram, address rep p)), x, y, 

(cohn.OUTPUT rep((F,T,F) ,F) \/ 
cohn.INPUT rep((F,T,F) , F.T.T.F.F)) , 
cohn.NILM rep((F,T,F) ,F, T.T.F.F))"; 

"b:bool"j 

cohn.ALU.TTFF.TT.SVAL) ) ; ; 


let cohn.ALU_TTFF_TT_FTF_BVAL.aux 
= EXPAND. LET. RULE (REWRITE. RULE [PAIR.EQ] 

(SPECL ["rep: ‘rep.ty" ; " (T ,T, F , F) " ; " (T ,T)" ; " (F ,T , F) 
"load.r (rep: rep.ty) (a, x, y, add rep (p, wordn rep 1), 
fetch rep (ram, address rep p))"; 

"cohn.MEHREAD (rep : ‘rep.ty ) (ram, (T,T), address rep 
(fetch rep (ram, address rep p)), x, y, 

(cohn.OUTPUT rep( (F.T, F) ,F) \/ 
cohn.INPUT rep((F,T,F),F,T,T,F,F)), 
cohn.NILM rep((F,T,F),F,T,T,F,F))"; 

“b:bool"] 

cohn_ALU.TTFF.TT.BVAD) : ; 


let cohn.ALU_TTFF.TT_FTF_VALUE.aux 
= EXPAND. LET.RULE (REWRITE. RULE [PAIR.EQ] 

(SPECL ["rep: 'rep.ty" ; "(T.T.F.F)"; "(T,T)" ; "(F,T,F)"; 
"load.r (rep: rep.ty) (a, x. y, add rep (.p, wordn rep 1). 
fetch rep (ram, address rep p))"; 

"cohn.MEHREAD (rep : ‘rep.ty) (ram, (T,T), address rep 


(fetch rep (ran, address rep p)), x, y, 

(cohn.OUTPUT rep((F,T,F) ,F) \/ 
cohn.INPUT rep((F,T,F) ,F,T,T,F,F)) , 
cohn.NILM rep((F,T,F) , F,T,T , F ,F) ) " ; 

"b:bool"] 

cohn.ALU.TTFF.TT. VALUE) ) ; ; 

let illegal. shlb » (SPECL ["rep: "rep.ty" ; 

"a: *wordn" ; 

"x:*wordn"; "y:*wordn"; 

"add (rep: “rep.ty) (p, wordn rep 1)"; 

"b :bool" ; M F"; 

"fetch (rep: "rep.ty) (ram, address rep p) M ; 

"ram : *memory" ; 

"shlb (rep: "rep.ty) 

((loader rep 

(a,x,y,add rep(p,wordn rep 1), 
fetch rep ( ram , address rep p))), b)"; 

"b:bool"] 

write. reg.illegalpdest.aux) ; ; 

let dsf. remain * (SPEC "(DSF (rep : “rep.ty) 

(fetch rep (ram, address rep p))):bt3 M 
bt3.remaining.lemma) ; ; 

let cohn.TTFF_FFF.aux. expanded = EXPAND.LET.RULE 
(theorem ‘ cohn.TTFF.aux ‘ 1 cohn.TTFF.FFF.aux* ) ; ; 
let cohn_TTFF.FFT.aux_ expanded = EXPAND.LET.RULE 
(theorem ‘cohn.TTFF.aux 4 1 cohn.TTFF.FFT.aux* ) ; ; 
let cohn.TTFF_FTF.aux_ expanded * EXPAND.LET.RULE 
(theorem ‘cohn.TTFF.aux 1 ‘ cohn.TTFF.FTF.aux 4 ) ; ; 
let cohn.TTFF.FTT.aux. expanded * EXPAND.LET.RULE 
(theorem ‘cohn.TTFF.aux 4 ‘cohn.TTFF.FTT.aux 1 );; 
let cohn.TTFF.TFF.aux.expanded * EXPAND.LET.RULE 
(theorem ‘cohn.TTFF.aux 1 4 cohn.TTFF.TFF.aux ( ) ; ; 
let cohn.TTFF_TFT.aux .expanded = EXPAND.LET.RULE 
(theorem ‘cohn.TTFF.aux* * cohn.TTFF_TFT.aux 4 ) ; ; 

% shlb % 

set.goal ( [] , 

"i (rep: "rep.ty) (a:*wordn) (x:*uordn) (y:*wordn) (p:*wordn) (b:bool) 
(8top:bool) (ram: ^memory ) . 

( (" (CSF rep (fetch rep (ram, (address rep p)))) /\ 

(“(DSF rep (fetch rep (ram, (address rep p) ) )=(T , T, F) ) ) /\ 

(“(DSF rep (fetch rep (ram, address rep p) ) = (T , T , T) ) ) /\ 
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(FSF rep (fetch rep (ram, address rep p)) * (T,T,F,F)) /\ 
(MSF rep (fetch rep (ram, address rep p)) » (T,T))) ■**> 
(SHLB rep (a, x, y, p, b, stop, ram) = 
cohn.NEXT rep (a, x, y, p, b, stop, ram)))");; 


e (REPEAT GEN.TAC 

THEN STRIP.TAC 

THEN PURE.REWRITE.TAC [SHLB] 

THEN EXPAND.LET.TAC 

THEN ASM.CASES.TAC "stop:bool" 

THEN IMP.RES.TAC cohn.stop 
THEN ASM.REVRITE_TAC[] 

THEN ASM.CASES.TAC "* (valid. address (rep : ‘rep.ty) 

(add rep (p , wordn rep 1 ) ) ) : bool " ) ; ; 

e (IMP.RES.TAC (EXPAND. LET. RULE cohn.noinc) 

THEN ASM.REWRITE.TAC [] 

THEN ASM.REWRITE.TAC []); ; 

e (ASSUM.LIST (\asl. ASSUME.TAC (REWRITE.RULE 
[el 19 asl] (el 1 asl))) 

THEN ASM.REWRITE.TAC []); ; 

e (ASSUM.LIST (\asl. ASSUME.TAC (REWRITE.RULE 
[] (el 1 asl) ) ) ) ; ; 

e (ASM.CASES.TAC "((DSF (rep: ‘rep.ty) (fetch rep (raiu, address rep p))) 
= (F,F,F)) :bool"); ; 

e (IMP.RES.TAC cohn.TTFF.FFF.aux.expanded 
THEN ASM.REWRITE.TAC [cohn.ALU_TTFF_TT_FFF_VALUE.aux; 
cohn_ALU.TTFF_TT_FFF_SVAL.aux ; 
cohn.ALU.TTFF.TT.FFF.BVAL.aux ; 
reg.eqv; write.reg; PAIR.EQ]);; 

e (ASM.CASES.TAC "((DSF (rep: ‘rep.ty) (fetch rep (ram, address rep p))) 
« (F.F.T) ) : bool") ; ; 

e (IMP.RES.TAC cohn.TTFF.FFT.aux. expanded 
THEN ASM.REWRITE.TAC [cohn_ALU_TTFF_TT.FFT_VALUE.aux; 
cohn_ALU_TTFF_TT.FFT.SVAL.aux ; 
cohn_ALU.TTFF_TT_FFT.BVAL.aux ; 
reg.eqv; erite.reg; PAIR.EQ]);; 

e (ASM.CASES.TAC "((DSF (rep: 'rep.ty) (fetch rep (ram, address rep p) ) ) 
« (F.T, F) ) :bool" ) ; ; 


e (IMP.RES.TAC cohn.TTFF.FTF.aux. expanded 

THEN ASM.REWRITE.TAC [cohn.ALU.TTFF.TT. FTF. VALUE. aux ; 
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cohn_ALU.TTFF_TT_FTF_SVAL.aux ; 
cohn_ALU.TTFF_TT_FTF_BVAL.aux ; 
reg.eqv; write. reg; PAIR.Eq]);; 

e (ASM.CASES.TAC "((DSF (rep: 'rep.ty) (fetch rep (ram, address rep p))) 

- (F.T.T)) :bool") ; ; 

e (IMP.RES.TAC cohn.TTFF.FTT.aux.expanded 
THEN IMP.RES.TAC illegal.shlb 

THEN ASM.REWRITE.TAC [reg.eqv; write. reg; PAIR.EQ]);; 

e (ASH.CASES.TAC ”((DSF (rep: ‘rep.ty) (fetch rep (ram, address rep p))) 

- (T,F,F) ) :bool") ; ; 

e (IMP.RES.TAC cohn.TTFF.TFF.aux. expanded 
THEN IMP.RES.TAC illegal.shlb 

THEN ASM.REWRITE.TAC [reg.eqv; write. reg; PAIR.EQ]);; 

e (IMP.RES.TAC dsf.remain) ; ; 

e (IMP.RES.TAC cohn.TTFF.TFT.aux. expanded 
THEN IMP.RES.TAC illegal.shlb 

THEN ASM.REWRITE.TAC [reg.eqv; write.reg; PAIR.EQ]);; 
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Appendix D: MACRO LEVEL SPECIFICATION 


y. 

File: def.ucode.ml 

Description: Defines the selectors for fields of a microinstruction 

y t 

set.search.path (search. path() lib_dir_list ) ; ; 

system ‘ /bin/rm ucode.def . th‘ ; ; 
new. theory * ucode.def ‘ ; ; 
map new. parent [‘tuple'];; 

% 

Now def ine a type for ucode . 

X 

new_type_abbrev( ‘ucode ' , 

(bt7#(bt3#bt4) #bool# (bool#bool#bool )# (bt 2#bt3#bool#bool )# 
(bool#bool)#(bool#bool#bt2) ) " 

);; 

•/. 

Here are the selectors for the microcode 

X 


let Maddr = new. def init ion 
( ‘ Maddr ‘ , 

M ! (rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Maddr (ua, (sctl ,actl) , decctl , (rd, wr , inout) , (urf ,udf ,rf ctl , dfctl) , 
(den.ren) , (asel ,dsel ,msel) ) * ua M 

); ; 

let Seqctl = new.def init ion 
( ' Seqctl 1 , 

" ! (rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Seqctl (ua, (sctl,actl) , decctl, (rd.wr , inout) , (urf ,udf ,rf ctl , dfctl ) , 
(den, ren), ( asel ,dsel ,msel) ) = sctl" 

);; 

let Aluctl = new.def ini t ion 
( 4 Aluctl ‘ , 

" ! (rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 
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(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Aluctl (ua, (sctl , actl) , decctl , (rd , wr , inout) , (urf ,udf ,rf ctl ,df ctl) , 
(den, ren), (asel , dsel ,msel) ) - actl" 

);; 

let Dec_ctl * new.def inition 
<‘Dec_ctr , 

n ! (rd wr inout decctl rfctl dfctl den ren asel dselibool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7), 

Dec_ctl (ua, (sctl* actl) , decctl , (rd , wr , inout ) , (urf ,udf , rfctl, dfctl), 
(den, ren), (asel , dsel ,msel ) ) = decctl" 

);; 

let R ** new.def inition 

(‘R‘, 

“ ! (rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

R (ua, (sctl, actl) .decctl, (rd , wr , mout ) ,(uri ,udf ,rf ctl ,df ctl ) , 

(den, ren), (asel , dsel ,msel ) ) = rd M 

); ; 

let W * new^def inition 
(‘W‘ , 

M !(rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

W (ua, (sctl , actl) ,decctl, (rd,wr , inout) , (urf ,udf , rfctl ,df ctl) , 

(den, ren), ( asel , dsel ,msel ) ) = wr" 

);; 

let Io = new_def inition 
(‘Io‘ , 

M ! (rd wr inout decctl rfctl dfctl den ren asel dselrbool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Io (ua, (sctl, actl) , decctl, (rd, wr , inout ) , (urf ,udf , rfctl , dfctl) , 
(den, ren), (asel , dsel ,msel ) ) = inout" 

);; 

let Mrf * new.def inition 
( ‘ Mrf ‘ , 

"! (rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Mrf (ua, (sctl, actl) , dec ctl, (rd ,wr , inout ) , (urf ,udf , rfctl, dfctl) , 
(den, ren) , (asel , dsel ,msel ) ) = urf" 

);; 

let Mdf = new_def inition 
( ‘ Mdf * , 
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"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Mdf (ua, (sctl , act 1 ) , decctl, (rd ,wr , inout ) , (urf ,udf ,rf ctl , dfctl) , 
(den, ren), (asel , dsel ,msel) ) = udf M 

);; 

let Rfc * new_def mit ion 

( 4 Rfc\ 

M ! (rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Rfc (ua, (sctl,actl) , decctl , (rd»wr , mout) , (urf,udf,rfctl, dfctl) , 
(den, ren), (asel , dsel ,rasel ) ) = rfctl" 

);; 

let Dfc ■ new.def init ion 
<<Dfc‘ , 

" » (rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Dfc (ua, (sctl , act 1 ) , decctl, (rd,wr, inout ) ,(urf ,udf , rfctl, dfctl) , 
(den, ren), (asel , dsel ,msel ) ) = dfctl" 

);; 

let De = new_def init ion 
( * De * , 

M !(rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 

(urf msel : bt 2 ) (sctl udf:bt3) (actl:bt4) (ua:bt7) . 

De (ua, (sctl,actl) , decctl, (rd,wr, inout) , (urf ,udf , rf ctl , dfctl) , 
(den, ren), (asel , dsel ,tnsel) ) = den" 

) ; ; 

let Re = new_def inition 
( ‘ Re ‘ , 

" ! (rd wr inout decctl rfctl dfctl den r£n asel dsel: bool) 

(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Re (ua, (sctl ,actl) , decctl , (rd, wr , inout) , (urf ,udf , rfctl ,dfctl) , 
(den, ren), (asel , dsel , msel) ) = ren" 

);; 

let Adrs = new_def ini t ion 
( ' Adrs 1 , 

" ! (rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 

(urf msel : b 1 2 ) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Adrs (ua, (sctl ,actl) , decctl , (rd,wr , mout) , (urf ,udf , rfctl , dfctl) , 
(den, ren), (asel , dsel , msel ) ) * asel" 

); ; 

let Ds * new.def inition 
( ‘ Ds * , 
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" ! (rd wr inout decctl rfctl dfctl den ren asel dselibool) 
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7). 

Ds (ua, (sctl ,actl) .decctl, (rd, wr , inout ) , (urf ,udf .rfctl .dfctl) 
(den, ren), (asel ,dsel ,msel ) ) * dsel" 

);; 

let Ms * new_def inition 
( ‘Ms* , 

11 ! (rd wr inout decctl rfctl dfctl den ren asel dsel:bool) 
(urf msel:bt2) (sctl udf:bt3) (actl;bt4) (ua:bt7). 

Ms (ua , (sctl , actl) .decctl , (rd, ur , inout ) , (urf , udf , rfctl .dfctl) 
(den, ren), (asel , dsel ,msel ) ) * msel" 

);; 

close_theory 0 ; ; 
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y. 

The Macro level of Viper 
University of California, Davis 
Viper’s macro level 
modifications 

- changed formatting and reordered opnds to add rep 

- SUBS changed to SUBO 

- changed write_preg so that if skip, stop is set to F 

- changed SHL to use ovflv = bitn rep ldr 

- added expanded defns for load_m, loader, etc 

% 

system ‘/bin/rm macro.def . th 1 ; ; 

set _search_path (search_path( ) <2 1 ib_dir_l ist ) , , 
loadf * abstract 1 ; ; 
new.theory 1 macro.def ‘ ; ; 
new.parent ‘aux_def‘;; 

let rep_ty * abstract_type ‘aux.def* ‘opcode*;; 




start of addressing unit 




let load_m = new_def initionC ‘ load_m‘ , 

" i (rep: "rep_ty ) (a:*wordn) (x:*uordn) (y:*wordn) (p:*wordn) 

(ir:*wordn) (ram : ♦memory) . 
load_m rep (a, x, y, p, ir , ram) = 
let msf Value * (MSF rep ir) in 
let tmp * (address rep ir) in 
let addr = (pad rep tmp) in 
( (msf Value * (F,F) ) -> (F, addr) I 

( (msf Value * ( F , T) ) => (F, (fetch rep (ram, (address rep addr)))) I 
( (msf Value = (T , F) ) => (let t = (add rep (x, addr)) in 
( (valid_address rep t) -> 

(F, fetch rep (ram, (address rep t))) I 
(T, addr))) I 

(let t = (add rep (y, addr)) in 
( (valid.address rep t) *> 
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(F t (fetch rep (ram, (address rep t)))) J 
(T, addr ))))))") ; j 

save,thm( ‘ load.m, expanded 4 , EXPAND, LET.RULE load.m) ; ; 


let load.io * new,def inition( ‘ load,io * , 

* ^ re P ; re P.ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*vordn) 

(ir : *wordn) (ram: ^memory) 
load.io rep (a, x, y, p, ir, ram) * 
let msf Value ■ (MSF rep ir) in 
let tap * (address rep ir) in 
let addr * (pad rep tmp) in 
( (msf Value * (F,F) ) »> (F, addr) I 

((msfValue * (F,T)) »> (F, (fetchio rep (ram, (address rep addr)))) | 
((msf Value * (T,F>) «> (let t * (add rep (x, addr)) in 
( (val id.address rep t) *> 

(F, fetchio rep (ram, (address rep t))) | 

(T, addr))) | 

(let t * (add rep (y, addr)) in 
( (val id_address rep t) => 

(F, (fetchio rep (ram, (address rep t)))) | 

(T, addr) )))))");; 

save_thm( * load,io_expanded‘ , EXPAND, LET, RULE load.io);; 

let loader * new.def inition( ‘ load,r < , 

! (rep: rep,ty) (a:*wordn) (x:*wordn) (y:*vordn) (p:*wordn) 
(ir:*wordn) . 

loader rep (a, x, y, p, ir) = 
let rsf Value * (RSF rep ir) in 
( (rsf Value = (F , F) ) => a | 

( (rsf Value = (F,T) ) => x I 
( (rsf Value = (T , F) ) => y | 

p) ) ) M ) ; ; 

save_thm(‘load,r,expanded < , EXPAND, LET,RULE load,r) ; ; 

let write, reg » new.def init ion( ‘write.reg 1 , 

‘ ^ re P : re P- t y ) (a:*vordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stop : bool ) ( ir : *wordn) (ram : *raemory ) (value : *wordn) (newb:bool). 
write_reg rep (a, x, y, p, b, stop, ir, raiu, value, newb) * 
let dsf Value * (DSF rep ir) in 

((dsf Value - (F.F.F)) => (value, x, y, p, newb, stop, ran) | 
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( (dsf Value * (F,F,T)) *> (a, value, y, p, newb, stop, ram) | 
((dsfValue 3 (F,T,F)) => (a, x, value, p, newb, stop, ram) | 
(a, x, y, p, b, T, ram))))") ; ; 

save. thm( ‘ write. reg.expanded ' , EXPAND. LET. RULE write. reg) ; ; 


let write.preg * new.def inition( * write.preg* , 

■ ^ re P : re P_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stopibool) (ir:*wordn) (ram : ^memory ) (value : *vordn) . 
write.preg rep (a, x, y, p, b, stop, lr, ram, value) - 
let dsfValue * (DSF rep ir) in 

let call * ( (CSF rep ir) * (F)) /\ ( (FSF rep ir) = (F,F,F,T) ) in 
((dsfValue * (F,F,F)) => (value, x, y, p, b, stop, ram) | 

((dsfValue * (F,F,T)) *> (a, value, y, p, b, stop, ram) j 

((dsfValue * (F,T,F)) ■> (a, x, value, p, b, stop, ram) | 

((dsfValue * (T,T, F) ) «> (a, x, y, p, b, T, ram) | 

((dsfValue* (T,T ,T) ) *> (a, x, y, p, b, ‘ T, ram) | 

((((dsfValue* (T , F , F) ) /\ 'b) \/ 

((dsfValue * (T, F ,T) ) /\ b)) => (a, x, y, p, b, F, ram) | 

(call *> (a, x, p, value, b, ( ( * ( valid.address rep value)) \/ stop), 

ram) | 

(a, x, y, value, b , (stop\/“ ( val ld.address rep value )), ram) ))))))) n ); ; 
save_thm( ‘ write.preg. expanded 1 , EXPAND. LET.RULE write.preg);; 

y, 

start of ALU 

#/ 

7 . 

Compare 

X 

let CMP * new.def inition( 4 CMP ' , 

"! (rep: -rep.ty) (a:*wordn) (x:*wordn) (y:»wordn) (p:*uordn) (b:bool) 
(stop:bool) (ram : *memory ) 

CMP rep (a, x, y, p, b, stop, ram) * 

(stop *> (a, x, y, p, b, stop, ram) { 

(let newp * (add rep (p, wordn rep D) in 
( (“valid. address rep newp) => 

(a, x, y, newp, b, T, ram) | 

(let ir * (fetch rep (ram, address rep p)) in 
let m * (load.m rep (a, x, y, newp, ir, ram)) in 
((FST m) *> 7* invalid memory load 7, 

(a, x, y, newp, b, T, ram) I 


(let ldr = (load.r rep (a, x, y, 
let 1dm * (SND m) in 
let fsf * (FSF rep ir) in 
(a, x, y, newp, (bcmp rep(ldr. 


newp , ir)) in 


ldm, b, fsf)) * F , ram ) )))))) H )i ; 


7. 

negate a value 


7. 

let NEG - new.def initionC ‘ HEG‘ , 

"! (rep: 'rep.ty) (a:*wordn> (x:*wordn) (y:*wordn) (p:*wordn) 
(bibool) (stop : bool ) (ram : *meruory ) . 


NEG rep (a, x, y, p» b, stop, ram) 

(stop «> (a, x, y, p, b, stop, ram) I 
(let newp * (add rep (p, wordn rep D) in 
((’valid, address rep newp) => 

(a, x, y, newp, b, T, ram) I 

(let ir * (fetch rep (ram, address rep p)) in 
let m = (load_m rep (a, x, y. newp, ir, ram)) in 
((FST m) *> 7* invalid memory load /. 

(a, x, y, newp, b, T, ram) I 
(let ldm * (SND m) in 
let result * (neg rep ldm) in 

write.reg rep (a, x, y, newp, b, F, ir , ram. 


result , b) )))))) ’ 


7. 

Add without overflow detection. 

7. 

let ADDB * new.def inition( 4 ADDB 1 , 

•• i (rep : 'rep.ty) (a:*wordn) (x:*wordn) (y:.wordn) (p:.wordn) 
(b:bool) (stop:bool) (ram : ‘memory ) ■ 

ADDB rep (a, x, y, p. b, stop, ram) 

(stop »> (a, x, y, p. b, stop, ram) I 
(let newp « (add rep (p, wordn rep 1)> in 
(('valid. address rep newp) => 

(a, x, y, newp, b, T, ram) I 

(let ir * (fetch rep (ram, address rep p>) in 
let m - (load., rep (a, x, y, newp, ir, ram)) in 
((FST m) “> 7. invalid memory load /. 

(a, x, y, newp, b, T, ram) I 
(let ldm = (SND m) in 

let ldr » (load.r rep (a, x, y, newp, ir)) in 
let result » (add rep (ldr, ldm)) in 
get result, addition with carry 4 
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let carry * (addp rep (Idr, 1dm, result); in */, get carry % 
write_reg rep (a, x, y, newp, b , F, ir , ram , result , carry )))))))");; 


X 

Add with overflow detection. 

X 

let ADDS * new_def init ion( ‘ ADDS ' , 

<rep: rep - ty) (a: * Bordn > (x : *uordn) (y:. wordn) (p:*wordn) (b:bool) (stop:bool) (ram :» memory) 
ADDS rep (a, x, y, p, b, stop, ram) = 

(stop => (a, x, y, p, b, stop, ram) | 

(let newp * (add rep (p, wordn rep 1)) in 
(( val id_address rep newp) => 

(a, x, y, newp, b, T, ram) | 

(let ir * (fetch rep (rara, address rep p)) in 
let m = (load_m rep (a, x, y, newp, ir, ram)) in 
((FST m) *> 'f t invalid memory load X 
(a, x, y, newp, b, T, ram) | 

(let 1dm * (SND m) in 

let Idr » (load_r rep (a, x, y, newp, ir)) in 
let result = (add rep (Idr, 1dm)) in 

let ovflw = (aovfl rep (Idr, 1dm, result)) in 7, detect overflow7 f 
write.preg rep (a, x, y, newp, b, ovflw, ir, ram, result )))))))");; 


7 . 

Subtract without overflow detection. 

I 

let SUBB * new.def inition( ‘SUBB* , 

"! (rep: rep.ty) (a:*wordn) (x:*vordn) (y:*eordn) (p:*wordn) 
(b:bool) (stop:bool) (ram : ♦memory ) . 

SUBB rep (a, x, y, p, b, stop, ram) = 

(stop *> (a, x, y, p, b, stop, ram) | 

(let newp * (add rep (p, wordn rep 1)) in 
(( valid_address rep newp) *> 

(a, x, y, newp, b, T, ram) | 

(let ir = (fetch rep (rara, address rep p)) in 
let d - (load_m rep (a, x, y, newp, ir, ram)) in 
((FST m) *> invalid memory load 7, 

(a, x, y, newp, b, T, ram) | 

(let 1dm =■ (SND m) in 

let Idr = (load.r rep (a, x, y, newp, ir)) in 
let result = (sub rep (Idr, 1dm)) in 

let carry = (subp rep (Idr. 1dm, result)) in */. detect carry */. 
write.reg rep (a, x, y, newp, b, F, ir, ram, result .carry )))))))"); ; 
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7 . 

Subtract with overflow detection 


7. 

let SUBO = new def init ion( ‘ SUBO * , 

- (rep: *rep_ty) (a:.wordn) (x:»wordn) (y:*wordn) Cp:.-ordn> (b:bool) (stop-.bool) (ram : .memory) 

SUBO rep (a, x, y. p. b, stop, ram) 

(stop -> (a. x. y. p. b, stop, ram) I 
(let newp - (add rep (p, wordn rep D) in 
(("valid. address rep newp) => 

(a, x. y, newp, b, T, ram) I 

(let ir = (fetch rep (ram. address rep p)) in 
let m = (load.m rep (a. x, y. newp. ir. ram)) in 
((FST m) => 7. invalid memory load 7. 

(a, x, y, newp, b. T, ram) I 
(let 1dm * (SND m) in 

let ldr = (load.r rep (a, x, y. newp, ir) ) in 

let result = (sub rep (ldr, 1dm)) in 
let ovflw « (sovfl rep (ldr. 1dm, result)) in 7. overflow detection 7. 
write.preg rep (a, x, y. newp.b .ovflw , ir .ram, result) )»)))"); : 


*/. 

Exclusive OR between two operands 


let XOR * new.def init ion( ‘ XOR 1 , 

i> | (r ep : "rep.ty) (a:*wordn) (x:.wordn) Cy:.wordn) t P :.wordn) (b:bool) 

(stop : bool ) (ram : *memory ) . 

XOR rep (a, x, y, p» b, stop, ram) 

(stop **> (a, x, y, p» b, stop, ram) I 
(let newp - (add rep (p, wordn rep D) in 
(('valid. address rep newp) *> 

(a, x, y, newp, b, T, ram) I 

(let ir * (fetch rep (ram, address rep p)) in 
let m * (load.m rep (a, x, y, newp, ir, raw)) in 
((FST m) *> */. invalid memory load /. 

(a, x, y, newp, b, T, ram) I 


(let 1dm - (SND m) in 

let ldr - (load.r rep (a, x, y, newp, ir) ) in 
let result * (bxor rep (ldr, 1dm)) in 

write. reg rep (a, x, y, newp, b, F, ir, ram 


result, b) ))))))’*); ; 


% 

And between two operands 


7 . 
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let AND ** new.def initionO AND 1 , 

" i (rep : ‘rep.ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:.wordn) (b:bool) 
(stop:bool) (ram: »memory) . 

AND rep (a, x, y, p, b, stop, ram) = 

(stop => (a, x, y, p, b, stop, ram) I 
(let nevp = (add rep (p, wordn rep 1)) in 
( ("valid_address rep neup) -> 

(a, x, y, newp, b, T, ram) i 

(let ir = (fetch rep (ram, address rep p)) in 
let m * (load_m rep (a, x, y, newp, ir, ram)) in 
( (PST m) »> 7 . invalid memory load % 

(a, x, y, newp, b, T, ram) l 
(let 1dm * (SND m) in 

let ldr * (load_r rep (a, x, y, newp, ir)) in 
let result * (band rep (ldr, ldru)) in 

write.reg rep (a. x. y, neup. b. F, ir, ram, result, b))))))>");; 

NOR between two operands 

7 . 

let NOR - new.def init ion( ‘ N0R‘ , 

<> i (reprrep.ty) (a:*wordn) (x:*uordn) (y:.wordn) (p:.wordn) (b:bool) 
(stop:bool) (ram : *memory ) . 

NOR rep (a, x, y, p, b, stop, ram) = 

(stop => (a, x, y, p, b, stop, ram) I 
(let newp = (add rep (p, wordn rep 1)) m 
( (~valid_address rep newp) => 

(a, x, y, newp, b, T, ram) I 
(let ir - (fetch rep (ram, address rep p)) in 
let m - (load.m rep (a, x, y, newp, ir, ram)) in 
((FST m) => 7 * invalid memory load 7 . 

(a, x, y, newp, b, T, ram) I 
(let 1dm * (SND m) in 

let ldr * (loader rep (a, x, y, newp, ir)) in 
let result * (bnor rep (ldr, 1dm)) in 

write.reg rep (a, x, y, neup, b, F, ir. ram, result, b) )>)))>"); ; 

*/. 

ANDMBAR between two operands 

7 . 

let ANDMBAR * new.def init ion( ‘ ANDMBAR* , 

n, (rep: ~rep_ty ) (a:*vordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stop : bool ) (ram: ^memory) . 

ANDMBAR rep (a, x, y, p, b, stop, ram) = 

(stop => (a, x, y, p, b, stop, ram) I 


(let newp * (add rep (p, wordn rep 1)) in 
( ("valid. address rep newp) =*> 

(a, x, y, newp, b, T, ram) | 

(let ir =* (fetch rep (ram, address rep p)) in 
let m * (load.m rep (a, x, y, newp, ir, ram)) in 
((FST m) => 7, invalid memory load 7, 

(a, x, y, newp, b, T, ram) I 
(let 1dm = (SND m) in 

let ldr * (loader rep (a, x, y, newp, ir) ) in 
let result * (band rep (ldr, bnot rep 1dm)) in 

write.reg rep (a, x, y, newp, b, F, ir, ram, result, b)))))))");; 


X 

Shift right, copy sign bit 

X 

let SHR * new.def init ion( * SHR' , 

" ■ (rep : "rep.ty) (a:*wordn) (x:*vordn) (y:*wordn) (p:*wordn) (brbool) 
(stop:bool) (ram : *memory ) . 

SHR rep (a, x, y, p, b, stop, ram) = 

(stop *> (a, x, y, p, b, stop, ram) | 

(let newp * (add rep (p, wordn rep 1)) in 
( ( "valid.address rep newp) *=> 

(a, x, y, newp, b, T, ram) | 

(let ir * (fetch rep (ram, address rep p)) in 
let ldr = (load.r rep (a, x, y, newp, ir) ) in 
let result = (shr rep ldr) in 

write. reg rep (a, x, y, newp, b, F, ir, ram, result, b))))) M );; 

X 

Shift right through b 

X 

let SHRB = new.def inition( ‘ SHRB ‘ , 

"f (rep: rep.ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stop:bool) (ram : *memory ) . 

SHRB rep (a, x, y, p, b, stop, ram) = 

(stop => (a, x, y, p, b, stop, ram) j 
(let newp = (add rep (p, wordn rep 1)) in 
(( ~ valid. address rep newp) = > 

(a, x, y, newp, b, T, ram) I 

(let ir = (fetch rep (ram, address rep p)) in 
let ldr = (load.r rep (a, x, y, newp, ir)) in 
let result * (shrb rep (ldr, b)) in 
let newb * (bitO rep ldr) in 

write. reg rep (a, x, y, newp, b, F, ir, ram, result, newb)))))") ; ; 
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7. 

Shift left 

X 

let SHL = new_def init ion( 4 SHL ‘ , 

" ! (rep: ~rep_ty ) (a:*wordn) (x:*wordn) (,y:*wordri) (p:*vordn) (b:bool) 
(stopibool) (ram : *memory ) . 

SHL rep (a, x, y, p, b, stop, ram) = 

(stop *> (a, x, y, p, b, stop, ram) | 

(let newp = (add rep (p, wordn rep 1)) in 
( ( ~valid_address rep newp) -> 

(a, x, y, newp, b, T, ram) I 

(let ir = (fetch rep (ram, address rep p)) in 
let ldr = (loader rep (a, x, y, newp, ir)) in 
let result = (shl rep ldr) in 
7, let ovflw - (aovfl rep (ldr, ldr, result)) in 7, 
let ovflw = (bitn rep ldr) in 

write_reg rep (a, x, y, newp, b, ovflw, ir, ram, result, b))))) n );; 

7 . 

Shift left through b 

7 . 

let SHLB = new_def init ion( 4 SHLB 1 , 

" ! (rep : ~rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stop:bool) (ram : ^memory ) . 

SHLB rep (a, x, y, p, b, stop, ram) - 
(stop => (a, x, y, p, b, stop, ram) I 
(let newp * (add rep (p, wordn rep D) in 
( (~ valid_address rep newp) => 

(a, x, y, newp, b, T, ram) I 

(let ir = (fetch rep (ram, address rep p)) in 
let ldr = (load_r rep (a, x, y, newp, ir)) in 
let result = (shlb rep (ldr, b)) in 
let newb * (bitn rep ldr) in 

vrite_reg rep (a, x, y, newp, b, F, ir, ram, result, newb))))) 1 ’);; 
let CALL * new_def ini t iori( ‘ CALL ‘ , 

"! (rep: ~rep_ty ) (a:*uordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stop:bool) (ram: *memory) . 

CALL rep (a, x, y, p, b, stop, ram) = 

(stop *> (a, x, y, p, b, stop, ram) I 
(let newp - (add rep (p, wordn rep D) in 
( (~valid_address rep newp) *> 
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(a, x, y, newp, b, T, ram) I 

(let ir - (fetch rep (ram, address rep p)) in 
let m - (load.m rep (a, x, y, newp, ir, ram)) in 
((FST m) *> '/. invalid memory load */, 

(a, x, y, newp, b, T, ram) I 
(let 1dm * (SND m) in 

let ldr - (load_r rep (a, x, y, newp, ir)) in 
let dsf - (DSF rep ir) in 

(a, x, newp, 1dm, b, ( " ( val ld.address rep 1dm)), ram))))))) 1 '); 
V. was: write.preg rep(a, x, y, newp, b, F, ir, ram, 1dm)))))))");; */, 

let READM * new.def initionC ‘READM' , 

'»! (rep: "rep.ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stop:bool) (ram: ♦memory ) . 

READM rep (a, x, y, p, b, stop, ram) * 

(stop *> (a, x, y, p, b, stop, ram) I 
(let newp * (add rep (p, wordn rep 1)) in 
( ("valid. address rep newp) «> 

(a, x, y, newp, b, T, ram) I 
(let ir * (fetch rep (ram, address rep p)) in 
let m ■ (load.m rep (a, x, y, newp, ir, ram)) in 
((FST m) “> % invalid memory load */♦ 

(a, x, y, newp, b, T, ram) I 
(let 1dm * (SND m) in 

write.preg rep (a, x, y, newp, b, F, ir, ram, ldm) ))))))"): ; 
let READIO - new.def inxt ion( ‘ READIO 1 , 

"! (rep: "rep.ty) (a:*wordn) (x:*wordn) (y:^wordn) (p:*wordn) (b:bool) 
(stop: bool) (ram : ♦memory ) . 

READIO rep (a, x, y, p, b, stop, ram) = 

(stop »> (a, x, y, p, b, stop, ram) I 
(let newp * (add rep (p, wordn rep 1)) in 
(("val id. address rep newp) *> 

(a, x, y, newp, b, T, ram) I 
(let ir * (fetch rep (ram, address rep p) ) in 
let m * (load.io rep (a, x, y, newp, ir, ram)) in 
((FST m) *> y, invalid memory load 7, 

(a, x, y, newp, b, T, ram) I 
(let ldm * (SND m) in 

write. reg rep (a, x, y, newp, b, F, ir, ram, ldm, b)) )))))"); ; 
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let WRITEIO = new.def init ion( ‘WRITEIO ' , 

"! (rep : “rep^ty) (a:*uordn) (x:*uordn) (y:*wordn) (p:*wordn) (b:bool) 
(stopibool) (ram : *meraory) . 

WRITEIO rep (a, x, y, p, b, stop, ram) * 

(stop ■> (a, x, y, p, b, stop, ram) I 
(let newp * (add rep (p, wordn rep 1)) in 
( (“valid. address rep newp) => 

(a, x, y, newp, b, T, ram) I 

(let ir = (fetch rep (ram, address rep p)) in 
let value = loader rep (a, x, y, newp, ar) in 
let msfValue = (MSF rep ir) in 
let addr * (address rep ir) in 
((msfValue * (F,F)) *> (a, x, y, newp, b, T, ram) I 
((msfValue * (F,T)) *> 

(a, x, y, newp, b, F, (storeio rep (ram, addr, value))) I 
((msfValue * (T,F)) -> (let t = (add rep (x, (pad rep addr))) in 
( (valid.address rep t) *> 

(a, x, y, newp, b, F, (storeio rep(ram , (address rep t), value))) I 
(a, x, y, newp, b, T, ram))) 1 
(let t * (add rep (y, (pad rep addr))) in 
( (valid. address rep t) *> 

(a, x, y, newp, b, F, (storeio rep (ram , (address rep t), value))) I 
(a, x, y, newp, b, T, ram))))))))))* 1 );; 

let WRITEM « new.def init ion( ‘ WRITEM 4 , 

"! (rep: “rep.ty) (a:*vordn) (x:*wordn) (y:*wordn) (p:*vordn) (b:bool) 
(stop:bool) (ram : ^memory ) . 

WRITEM rep (a, x, y, p, b, stop, ram) * 

(stop *> (a, x, y, p, b, stop, ram) I 
(let newp * (add rep (p, wordn rep D) in 
( (“valid. address rep newp) => 

(a, x, y, newp, b, T, ram) I 

(let ir * (fetch rep (ram, address rep p)) in 
let value * load.r rep (a, x, y, newp, ir) in 
let msfValue * (MSF rep ir) in 
let addr * (address rep ir) in 

((msfValue * (F,F)) => (a, x, y, newp, b, T, ram) | 7, msf * 00 7, 
((msfValue = (F,T)) *> 

(a, x, y, newp, b, F, (store rep (ram, addr, value))) I 
((msfValue * (T,F)) *> (let t * (add rep (x, (pad rep addr))) in 
( (valid. address rep t) => 

(a, x, y, newp, b, F, (store rep(ram , (address rep t), value))) I 
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(a, x, y. newp. b, T, ram))) I 

(let t * (add rep (y, (pad rep addr))) in 

((valid.address rep t) => 

(a, x, y, newp.b ,F, (store rep(ram , (address rep t), value))) I 
(a, x, y, newp, b, T, ram))))))))))");; 

let NOOP.M * new.def inition( ‘ NOOP.M 1 , 

" • (rep: ~rep.ty) (a:*wordn) (x:+wordn) (y:*wordn) (p:*wordn) (b:bool) 
(stop:bool) (ram : *memory ) . 

N00P_M rep (a, x, y, p, b, stop, raru) = 

(stop => (a, x, y, p, b, stop, ram) | 

(let newp * (add rep (p, wordn rep 1)) in 
(("valid.address rep newp) »> 

(a, x, y, newp, b, T, ram) I 

(a, x , y, add rep (p, (wordn rep 1)), b, F, ram))))");; 

let macro.st ate = " : ((*wordn)#(*vordn)#(*wordn)#(*wordn)#bool#bool#(*raemory) )" 
let macro.env = M :(bool) M ;; 


l 

ABS.ENV takes a function of type (ruacro.stat e -> macro.state) 
and creates a function of type (macro.state -> macro_env -> macro.state). 
The purpose of this function is to make the functions defining the 
instructions have the right type for use in the instruction list. 

1 

let ABS.ENV = new.def inition 
(‘ABS.ENV 1 , 

" ! (f : “macro. state->~macro_state) ( x : “macro.state) (y : “macro.env) . 
ABS.ENV f x y = f x M 

) ; ; 


let macro. inst .list = new_def inition 
( ‘macro.inst.list 1 , 


"! (rep : "rep.ty) . 


macro.inst.list rep = 


[ ((F,F,F,F,F), ABS_ENV 
( (F, F,F,F,T) , ABS_EN V 
((F,F,F,T,F) .ABS.ENV 
((F,F,F,T,T) , ABS.ENV 
((F,F,T,F,F), ABS_ENV 
( (F , F ,T , F,T) , ABS.ENV 
( (F, F,T ,T, F) , ABS.ENV 
( (F, F,T ,T,T) , ABS.ENV 
((F,T,F,F,F) .ABS.ENV 


(NOOP.M rep)) ; 
(SHR rep)); 
(SHRB rep)); 
(SHLB rep)) ; 
(SHL rep) ) ; 

(CMP rep)) ; 
(WRITEM rep)) ; 
(WRITEIO rep)) ; 
(NEG rep)); 
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((F,T,F,F,T), ABS.ENV (CALL rep}); 

((F,T,F,T,F) .ABS.ENV (READIO rep)); ' 

((F.T.F.T.T) .ABS.ENV (READM rep)); 

((F.T.T.F.F) , ABS.ENV ( ADDB rep)); 

((P.T.T.F.T) .ABS.ENV (ADDS rep)); 

((F,T,T,T,F), ABS.ENV (SUBB rep)); 

((F.T,T,T,T), ABS.ENV (SUBO rep)); 

((T,F,F,F,F) .ABS.ENV (XOR rep)); 

((T.F.F.F.T), ABS.ENV (AND rep)); 

((T,F,F,T,F), ABS.ENV (NOR rep)); 

((T,F,F,T,T) .ABS.ENV (ANDMBAR rep)); 

((T.F.T.F.F) .ABS.ENV (NOOP.M rep)); 

((T,F,T,F,T) .ABS.ENV (NOOP.M rep)); 

((T.F.T.T.T), ABS.ENV (NOOP.M rep)); 

((T.T.F.F.F) .ABS.ENV (NOOP.M rep)); 

((T.T.F.F.T), ABS.ENV (NOOP.M rep)); 

((T.T.F.T.F), ABS.ENV (NOOP.M rep)); 

((T.T.F.T.T), ABS.ENV (NOOP.M rep)); 

((T.T.T.F.F), ABS.ENV (NOOP.M rep)); 

((T.T.T.F.T), ABS.ENV (NOOP.M rep)); 

((T.T.T.T.F), ABS.ENV (NOOP.M rep)); 

((T.T.T.T.T) .ABS.ENV (NOOP.M rep));]");; 

V, return the key base on the state '/, 
let Opcode » new.def inition 
( ‘ Opcode 4 , 

"! (rep: “rep.ty) (a:*wordn) (x:»wordn) (y:»wordn) (p:*uordn) (b:bool) 
(stop: bool) (ram: *memory ) (reset: bool) . 

Opcode rep (a, x, y, p. b, stop, ram) (reset) « 

(FST (SND (decode rep ((opcode rep 

(fetch rep (ram, address rep p))), b))))");; 

7 . 

Opc.Val sill be used to instantiate key in mk.macro.ml 

x 

let Opc.Val = new. def inition 
( ‘ Opc.Val 1 , 

"• (x:bt5) . 

Opc.Val x = 

(btS.val x)" 

);; 

close.theoryO ; ; 
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% new.inst.aux updates “update.reg" usage to include new "b" parameter 7. 

load.parent 'regs.def 1 ;; 
load.parent ‘aux_thms‘;; 
load_parent ' macro.def ‘ ; 

let REG.LIST.LENGTH = new.def inition 
( ‘REG.LIST. LENGTH ' , 

"REG.LIST.LENGTH (rep : 'rep.ty) = 

! (1 : (*wordn) list) . (LENGTH 1 = p.reg)");; 


7 . 

Prove some facts about the independence of register updates 



let EL.SET_EL.TAC = 

REPEAT GEN.TAC 

THEN REWRITE.TAC [A ; X ; Y ;P] 

THEN CONV.TAC (TOP.DEPTH.CONV num.CONV) 

THEN REWRITE.TAC [LENGTH.CONS] 

THEN DISCH.TAC 

THEN POP_ASSUM(\thm. MAP.EVERY ASSUME_TAC( rev (CONJUNCTS thm ))) 

THEN POP_ASSUM(\thm. DIS J.CASES.TAC thm ) 

THENL 

[ALL.TAC 

POP_ASSUM(\thm. DIS J.CASES.TAC thm ) 

] 

THEN POP _ A SSUM(\ theCase . 

POP_ASSUM(\thm . ASSUME_TAC( REWRITE. RULE [theCase] thm)) 
THEN REWRITE.TAC [theCase] ) 

THEN POP_ASSUM(\thm. CHOOSE.THEN CHOOSE. TAC thm ) 

THEN POP_ASSUM(\thm. MAP.EVERY ASSUME_TAC( rev(CONJUNCTS thm) )) 

THEN POP_ASSUM(\thni . CHOOSE.THEN CHOOSE.TAC thm ) 

THEN POP_ASSUM(\thm. MAP.EVERY ASSUME.TACf. rev ICON JUNCTS thm) )) 

THEN POP_ASSUM(\thm. CHOOSE.THEN CHOOSE.TAC thm ) 

THEN POP_ASSUM(\thm. MAP.EVERY ASSUME_TAC( rev (CON JUNCTS thm) )) 
THEN ASM. REWRITE. TAC [] 

THEN CONV.TAC (TOP.DEPTH.CONV num.CONV) 

THEN REWRITE.TAC [EL ; SET.EL; HD ; TL] ; ; 


1 

Run time : 76.5s 

Intermediate theorems generated: 4412 

V. 


let INDEP. A.UPDATE - prove_thm( ‘ INDEP.A.UPDATE* , , 
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M ! (n : num) (X:*uordn list) (z:*wordn). 

( ((n - x.reg) \/ (n = y.reg) \/ (n = p.reg)) /\ 

(LENGTH 1 = p.reg) ) 

==> ((EL n (SET_EL a.reg 1 z) ) = EL n 1)", 

EL.SET.EL.TAC ) ; ; 

let INDEP.X.UPDATE = prove_thm( ‘ INDEP_X_UPDATE‘ , 

M !(n:num) (l:*wordn list) (z:*uordn) . 

( ((n - a.reg) \/ (n = y.reg) \/ (n - p.reg)) /\ 

(LENGTH 1 = p.reg) ) 

==> ((EL n (SET.EL x.reg 1 z) ) = EL n D", 

EL.SET.EL.TAC ) ; ; 

let INDEP.Y.UPDATE = prove_thm( ‘ INDEP.Y. UPDATE , 

"! (n:num) (l:*wordn list) (z:*wordn). 

( ((n = a.reg) V (n = x.reg) \/ (n = p.reg)) A 

(LENGTH 1 = p.reg) ) 

==> ((EL n (SET.EL y.reg 1 z) ) = EL n 1)", 

EL.SET.EL.TAC ) ; ; 

let INDEP.P.UPDATE = prove. thm( * INDEP.P.UPDATE , 

"!(n:num) (l:»wordn list) (z:»vordn) . 

( ((n = a.reg) \/ (n = x.reg) \/ (n = y.reg)) A 

(LENGTH 1 = p.reg) ) 

==> ((EL a (SET.EL p.reg 1 z) ) = EL a 1)’ , 

EL.SET.EL.TAC ) ; ; 

LIST7.C0RRECT 
Run time: 49.9s 

Intermediate theorems generated: 1467 




let LISTa.CORRECT = prove. thru ( 4 LISTa.CORRECT , 

" ! ( 1 : (*wordn) list) b t. (LENGTH 1 * p.reg) «> 

(EL a.reg (update.reg 1 (F.T.T) (b <t:nu»>> 

(add (rep: "rep.ty) (EL p.reg 1, uordn rep D) ) - 

EL a.reg 1 )" . 

REPEAT GEN.TAC 
THEN DISCH.TAC 

THEN REWRITE.TAC [update.reg ; PAIR.EQ] 

THEN 

IMP.RES.TAC (REWRITE.RULE □ 

(SPECL ["a.reg"; "1 : (*«ordn) list"; 

“(add (rep: "rep.ty) (EL p.reg l.wordu rep 1))"] 
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INDEP.P.UPDATE ) ) 

THEN ASM.REWRITE.TAC [] ) ; ; 

let L I STx_ CORRECT = prove_thm( ‘ LISTx.CORRECT* , 

" ! (1 : (*wordn) list) b t. (LENGTH 1 = p_reg) ==> 

(EL x.reg (update.reg 1 (F,T,T) (b (t:num)) 

(add (rep: rep_ty) (EL p_reg 1, wordn rep 1)) ) = 

EL x_reg 1 ) " , 

REPEAT GEN.TAC 
THEN DISCH.TAC 

THEN REWRITE.TAC [update.reg ; PAIR.EQ] 

THEN IMP.RES.TAC (REWRITE.RULE [] 

(SPECL ["x.reg"; "l:(*wordn) list"; 

"(add (rep; "rep_ty) (EL p.reg 1, wordn rep 1))”] 
INDEP.P.UPDATE ) ) 

THEN ASM.REWRITE.TAC [] ) ; ; 

let LISTy.CORRECT = prove_thm( ‘ LISTy_CORRECT‘ , 

" ! (1 : (*wordn) list) b t. (LENGTH 1 = p.reg) «*> 

(EL y.reg (update.reg 1 (F,T,T) (b (t:num)) 

(add (rep : “rep.ty) (EL p.reg 1, wordn rep 1)) ) = 

EL y.reg 1 )", 

REPEAT GEN.TAC 
THEN DISCH.TAC 

THEN REWRITE.TAC [update.reg ; PAIR.EQ] 

THEN IMP.RES.TAC (REWRITE.RULE [J 

(SPECL ["y.reg"; "l:(*wordn) list"; 

(add (rep: rep_ty)(EL p.reg 1, wordn rep 1))"] 
INDEP.P. UPDATE ) ) 

THEN ASM. REWRITE.TAC [] ) ; ; 

*ap (delete.cache o fst) (cached. theories( )); ; 


1 

Use this to generate goals for correct instantiation (implementation) proof 
*** This redefines the one in mk.mac.? + ** 


let MK.INST.CQRRECT.GOAL n * 
let inst - term.list.el n 
(snd(dest_eq( 

snd ( des t. f oral 1 (cone 1 macro. inst. list )))) ) in 
!(rep: rep.ty) (regs : t irae->(*wordn)list) (m ins din dout : time->*wordn) 
(ram: time->*memory ) (b stop ovl : time->bool) (mar:time->*address) 

(res : t ime->*uordn) (mpe : t inie->bt7 ) (reset.e : time->bool) . 

(REG.L 1ST. LENGTH rep /\ 
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DECODE_M_CQRRECTLY_IMP rep) ==> 


(Macro_Int _IMPL_IMP rep 

(\t. (reg t,m t,ins t.din t,dout t, 
res t, mpc t)) 

(\t. reset_e t) “inst) M ;; 


ram t,b t.stop t,ovl t, mar t. 


t 

definitions for symbolic execution 


7 . 


let int_to_term * ((C o curry) mk_const ”:nuiQ M ) o string_of _int and 
term_to_int = (int_of .string o fst o dest. const ) ; ; 

let sum.to.term x y - mt.to.term (x+y) ; ; 

let sumTerm x y = 

mk.comb (mk.comb (rak.const (* + ‘, 
mk.type ( ‘ f un ‘ , [mk.type ( ‘num ',[]); 

mk_type(‘fun‘,[ mk_type(‘ num *,[]); 

mk.type ( ‘num* ,[])])])), 

mk_const( (string. of _int x) , mk.type (* num* ,[]))) , 
mk_const( (string.of .int y) , rak_ type (‘ num* »[]))); ; 

let t.plus.term y = 
mk.comb (mk.comb (mk.const (* + *, 
mk.type ( ‘ f un ‘ , [mk.type ( ‘ num 1 , [] ) ; 

mk_type( ‘ f un 4 , [ mk.type ( * num ',[]); 

mk_ t ype( ‘num ‘ ,[])])])) , 

mk _var( ‘t‘, mk_type ( ‘ num ‘ ,[]))) , 

mk_const( (string.of _int y) , ink. type( 1 num‘ ,[]))); ; 

let sumTHM * y = 

REWRITE.RULE [ 

(REWRITE.RULE [ADD.CLAUSES ; 

SYM.RULE ((TOP.DEPTH.CONV num.CONV) (sum.to.term x y ) )] 

( (TOP.DEPTH.CONV num.CONV) (sumTerm x y) ))J 
(SPECL ["t"; int. to. term x; int.to.term y] (SYM.RULE ADD.ASSQC) ) ; ; 

7 . 

let T.DIFF.TAC x y - 

REWRITE.TAC [SPECL ["t";x;y] (SYM.RULE ADD.ASSOC)] 

THEN CONV.TAC (TOP.DEPTH.CONV num.CONV) 

THEN REWRITE.TAC [ADD.CLAUSES] ; ; 


set_goal([] ,"(t+3)+4 = t+7");; 
e( T.DIFF.TAC "3" "4" ) ; ; 



let PLUS.ONE.TAC n * 

REWRITE.TAC [ (SYM.RULE ADD 1) ; (mnn.CONV n) ; ADD. CLAUSES] ; ; 


let 

T2 = prove, thm 

( ‘T2 ' . " 

t . 

(t + 

let 

T3 * prove, thm 

( ‘ T3 ‘ , " 

t . 

(t + 

let 

T4 * prove_thm 

( ‘ T4 ‘ , " 

t . 

U + 

let 

T5 - pro ve_ t hju 

( ‘ T5 ‘ , " 

t . 

(l + 

let 

T6 = prove, thm 

( ‘ T6 ‘ , " 

t . (t + 

let 

T7 = prove_thm 

( ‘ T7 ‘ , " 

»t . 

(t + 

let 

T8 * prove_thm 

( ‘ T8 ' , " 

■t . 

(t + 

let 

T9 ■ prove, thm 

( ‘ T9 ‘ , " 

t . 

(t + 

let 

T10 = prove.thm 

CT10‘ . 

M !t 

. (t 

let 

Til ■ prove.thm 

C ‘Til ‘ . 

”!t 

. (t 

let 

T12 * prove.thm 

( ‘T12‘ , 

" ! t 

. U 

let 

T13 ■ prove_thm 

( ‘ T1 3 ' . 

" !t 

. (t 

let 

T14 * prove_thm 

( ‘ T14 ' , 

M * t 

. It 

let 

T15 = prove.thm 

CT15- , 

" ! t 

. u 

let 

T16 = prove, thm 

( ‘T16‘ . 

"«t 

. (t 

let 

T 17 = prove, thm 

( ‘ T17 ‘ , 

"!t 

. (t 

let 

T18 * prove, thm 

CT18‘ , 

M ?t 

. (t 


1) 

+ 1 = 

t 

+ 2" 

PLUS_QNE,TAC "2" 

);; 

2) 

+ 1 = 

t 

+ 3" 

PLUS_QNE,TAC "3" 

) : ; 

3) 

+ 1 = 

t 

+ 4" 

PLUS,ONE,TAC M 4 n 

) ; ; 

4) 

+ 1 = 

t 

+ 5" 

, PLUS.ONE.TAC "5" 

) ; ; 

S) 

+ 1 = 

t 

+ 6" 

PLUS.ONE.TAC "6" 

) ; ; 

6) 

+ 1 * 

t 

+ 7" 

PLUS.ONE.TAC "7" 

) ; ; 

7) 

+ 1 = 

t 

+ 8" 

, PLUS.ONE.TAC "8" 

); ; 

8) 

+ 1 » 

t 

+ 9" 

, PLUS.ONE.TAC "9" 

);; 

+ 

9) + 1 

= 

t + 

10", PLUS.ONE.TAC * 

10" ); 

+ 

10) + 

1 

= t + 

11", PLUS.ONE.TAC 

"11" ) 

+ 

11) + 

1 

= t + 

12" , PLUS.ONE.TAC 

"12" ) 


12) + 

1 

= t + 

13" , PLUS.ONE.TAC 

"13" ) 

+ 

13) + 

1 

= t + 

14", PLUS.ONE.TAC 

"14" ) 

+ 

14) + 

1 

= t + 

15", PLUS.ONE.TAC 

"15" ) 

+ 

15) + 

1 

= t + 

16", PLUS.ONE.TAC 

"16" ) 

+ 

16) + 

1 

- t + 

17" , PLUS.ONE.TAC 

"17" ) 

+ 

17) + 

1 

= t + 

18", PLUS.ONE.TAC 

"18" ) 


let T.THKS 


s [12 ; T2 ;T3 ; T4 ;T5 ;T6;T7;T8 ;T9 ;T10;TU ;T12 ;T13 ;T14 ; T15 ;T16 ; T17 ;T18] ; ; 




Define the relationship between selectors op and address and the 

constructor join 


7 . 


let op_join_op = mk.thm([], M !fet ad. 

(opcode (rep: "rep.ty) 

(join rep 
(opcode rep(f et ) , 

address rep(ad) ))) = opcode rep(f et )") ; ; 

let address. ] oin.address = mk.thmlLJ, "?fet ad. 
(address (rep : “rep.ty) 

(join rep 
(opcode rep(fet) , 

address rep(ad) ) ) ) * address rep(ad)");; 

let DSF.join.op ■ mk_thm([], " !fet ad. 

(DSF (rep : ~rep_ty ) 
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(join rep 
(opcode rep(fet ) , 

address rep(ad) ))) = DSF rep(fet)");; 

let RSF.join.op = mk_thra([], "!fet ad. 

(RSF (rep : “rep. ty ) 

(join rep 
(opcode rep(f et ) , 

address rep(ad) ))) = RSF rep(fet) M );; 

let address.pad.address = mk_thm([], "!w. 

(address (rep : “rep.ty ) (pad rep (address rep(w)))) * 
address rep( w ) ; 

let FSF.join.op = mk_thra( [] , “!fet ad. 

(FSF (rep : “rep.ty ) 

(join rep 
(opcode rep(fet ) , 

address rep(ad) ))) = FSF rep(fet) M );; 


% 

NORMAL_SYMB_EXEC takes as arguments a microinstruction to expand 
and one of the M T" theorems from above 

should append _TAC to the name 1 


7 . 


let NORMAL.SYMB.EXEC n T = 

IMP.RES.TAC (el n Micro_lnt.Inst.list) 

THEN ASSUM.LIST (\asl. POP_ASSUM(\thm. PQP_ASSUM( \thml . 
7, note that thm thml are not used % 

MAP.EVERY ASSUME.TAC (CONJUNCTS (REWRITE.RULE 
( [PAIR.EQ; T ; op.join.op; address. j oin_ address ; 

DSF.join.op; RSF.join.op; address.pad.address] 

6 (subtract asl[(el 1 asl)])) (el 1 asl)) )))) 

THEN NORMAL_POP.ASSUM.TAC ; ; 


X 

NEXT_SYMB.EXEC.TAC determines what the next microinstruction 
expansion should be based on the rape (on top of assumption stack). 

It then invokes NORMA L.SYMB .EXEC passing one of the T.THMS . 

(term.to.int (bt. val.f unc (snd(dest_eq(snd (dest.thmC (el 1 asl )))))) )+l) t);; 
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let mpc.f rom.thm thm * 

(term.to.int (bt.val.func (snd(dest_eq(snd(dest_thjn( thm )))))));; 

let NEXT_SYMB.EXEC.TAC theTime = 
let t “ (el theTime T.THMS) in 

ASSUM.LIST (\asl . NORMA L.SYMB.EXEC (mpc.f rcuu.thiu (el 1 asl) + l) t);; 

7. CASES.NEXT_SYMB_EXEC.TAC may be outdated '/. 

let CASES.NEXT_SYMB_EXEC.TAC theTime theCond = 
let t = (el theTime T.THMS) in 
ASSUM.LIST (\asl . 

IMP.RES.TAC (el (mpc.f rom.thra (el 1 asl)+l) Micro.Int. Inst. list ) ) 

THEN ASM.CASES.TAC theCond 

THEN ASSUM.LIST (\asl. POP_ASSUM(\keep . 

POP.ASSUM(\thm . POP_ASSUM(\thml . 

7, note that thm thml are not used 7, 

MAP. EVERY ASSUME.TAC ( [keep] © (CONJUNCTS (REWRITE. RULE 
( [PAIR.EQ ; t] « (subtract asl [thm] ) ) thm) )))))) 

THEN NORMA L_ POP .AS SUM _TAC ; ; 


% 

The following definitions help remove unneeded theorems from the assertion 

list. After using NORMAL. SYMB.EXEC * there are many theorems from the 

previous step that can be eliminated. 

The tactic DELETE.USTEP.TAC expects a number argument and removes all 
theorems from the assumption list corresponding to that time. 

is.at _t ime.of 2 "f oo( t+ 1 ) : bool ® false ;; 

(is.at_time.of 1 M foo(t+l) * false") = false;; 

(is.at.t ime.of 1 M "f oo(t+l ) ") - true ; ; 

% 


let is.at.time.of utime tok = 
if( is.eq tok) 

then (let 1 = lhs(tok) in 7. mar(t+i) 7. 
if ( is. comb 1 ) 

then (let r = rand(l) in 7. (t + 1) 7. 
if( is. comb r ) 

then (let op * rator(r) in 
if( op * M + t M ) 

then (if ( rand(r) - mt_to_term(ut ime) ) 

then 

if( rator(l) = "npc") then 


1 3*1 



(print_ibegin 0; print.term tok ;print_end() ; 
print_nevline() ;true) 
else true 
else false 

) 


else false 


) 

else false 

) 

else false 

) 

else (if (is.neg tok) 

then ( let tk K dest.neg (tok) in 
if ( is.comb tk ) 

then (let r = rand(tk) in 7, (t + 1) '/, 
if( is.comb r ) 
then (let op * rator(r) in 
if( op * M + t") 

then (if ( rand(r) = int_to_term(utime 

then true 
else false 

) 

else false 

) 

else luire 

> 

else false 

) 

else false 
) ? false; ; 


let FIND.ASSUMS f asl - (filter(f o concl) asl) ; ; 

let DELETE.USTEPJTAC when = 

P0P_ASSUM_LIST (\asl . MAP.EVERY ASSUME_TAC ( 

(rev (subtrac t asl (FIND_ASSUMS ( is_at_t irue_of when) asl) )) )); 


51 

This function returns the nth terra in a "pair 1 *. It was defined to 
help pull out a case split from inside the state (eg valid addressing) 
X 


letrec pair_el n p = 

if ( n = 1 ) then 

if( is_pair p ) then f st (dest_pair (p) ) else p 



else pair.el (n-1) (snd(dest_pair (p) ) ) ; ; 


X 

The following tactic converts an assumption like 

[ "mpc (t + 6) = bt7_ival (6 + (btS.val (F , F , F , F , F) ) ) " ] 
to : 

[ M mpc(t + 6) * F, F,F,F>T,T,F n ] 

It is a modified version of NORMAL.POP.ASSUM.TAC 
(who picked that tactic name anyway? :-) ) 


let JMPOPC.POP_ASSUM.TAC = 

POP.ASSUM (\thm . ASSUME.TAC ( 

CONV.RULE ( ONCE. DEPTH. CO NV bt7.i val.CONV ) ( 
CONV.RULE DEC.ADD.CONV ( 

X DEC.ADD.CONV broken for "0 + 1" 7. 
PURE_ONCE.REWRITE.RULE [ADD.CLAUSES] ( 
CONV.RULE (ONCE.DEPTH.CONV bt 5. val.CONV) ( 
REWRITE. RULE [add_bt7] thm) ))))); ; 

map (delete.cache o fst) (cached. theories( )); ; 


let FETCH. INST. TAC n * 7, set up everything for all proofs? 7. 

let thm ■ el (n+1) macro. defn. list in ( 
let inst.lemma = EXPAND.LET.RULE thru 
and inst * term.list.el n 

(snd(dest_eq( 

snd(dest.forall(concl macro. inst.list) ))) ) in ( 

REPEAT GEN.TAC 
THEN STRIP. TAC 

THEN SUBST.TAC [SPEC inst Macro. Int.IMPL. IMP. LEMMA] 

THEN ASM. REWRITE. TAC [inst.lemma ; ABS.ENV] )) 

THEN STRIP.TAC 7. don’t use REPEAT STRIP. TAC! 7. 

THEN STRIP.TAC 
THEN STRIP.TAC 

THEN 7. specialize the LISTx asumptions but preserve. the assumption order 
POP. ASSUM. LIST (\asl . 

ASSUME.TAC (el 5 asl) 

THEN ASSUME.TAC (SPEC "(reg t):*wordn list" 

(REWRITE.RULE [REG. LIST. LENGTH] (el 5 asl) ) ) 

THEN IMP.RES.TAC LISTa.CORRECT 
THEN IMP.RES.TAC LISTx.CORRECT 
THEN IMP.RES.TAC LISTy.CORRECT 

THEN ASSUME.TAC (el 4 asl) THEN ASSUME.TAC (el 3 asl) 

THEN ASSUME.TAC (el 2 asl) THEN ASSUME.TAC (el 1 asl) ) 
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THEN ASSUM.LIST (Nasi. ASSUME.TAC (REWRITE_RULE[(el 2 asl) ; PAIR.EQ] 
(EXPAND_L.ET.RULE (SPECL 

["fetch (rep : ~rep_ty ) (ram (trnum), 
address rep (EL p_reg (reg ( t : num J ) ) ) : *wordn" ; 

M (b (t : num) ) :bool M ] 

(PURE_REWRITE_HULE[DECQDE_M_ CORRECTLY. I HP] (el 4 asl)))))) 

THEN ASSUM_LIST(\asl . ASSUME.TAC (REWRITE_RULE[ (el 3 asl) ;PAIR_Eq] (SPEC 
(f st (dest_eq(snd(dest_thm(el 3 asl))))) MacroLevelCycles) ) ) 

THEN ASM.REWRITE.TAC [] 

7, take care of stop case 7. 

THEN ASM.CASES.TAC "(stop (t : num) ): bool” 

THEN ASSUM_LIST(\asl . REWRITE.TAC [el 1 asl] ) 

THENL [ 7. subgoal 1 (stop t ) 7. 

ASSUM_LIST(\asl. IMP.RES.TAC 

(SPECL [(snd(dest_eq(snd(dest_thm(el 2 asl) ) ) ) ) ;"t :num"] stop.thm)) 
THEN ASSUM.LIST (Nasi. MAP. EVERY ASSUME.TAC 

(CONJUNCTS (REWRITE. RULE [PAIR.EQ] (el 1 asl)))) 

THEN ASM.REWRITE.TAC [PAIR.EQ] 

; *4 subgoal 2 * stop t 7i 

NORMAL. SYMB.EXEC 1 T2 7. T2 here is a placeholder 7. 

THEN NORMAL. SYMB.EXEC 2 T2 
THEN COND.CASES.TAC 

THENL [ 7. subgoal 2.1 'valid.address 7. 

NORMAL.SYMB.EXEC 3 T3 

7. The processor is now stopped due to an addressing exception 7 . 

7. specialize and rewrite stop.thm show nothing will change % 

THEN ASSUM.LIST (Nasi . ASSUME.TAC ( REWRITE.RULE 

[(el 5 asl); (el 43 asl); (el 1 asl)] (SPECL [(int.to.tera 
( (term.to.int (snd(dest_eq(snd(dest_thm 

(REWRITE.RULE [PAIR.EQ] (el 39 asl) ) ) ) )) )-3) ); 

"(t+3) :num"] stop.thm) )) 

THEN ASSUM.LIST (Nasi . (POP_ASSUM(Nthm. 

(MAP.EVERY ASSUME.TAC (CONJUNCTS (REWRITE.RULE 
([PAIR.EQ; (sumTHM 3 

( (term.to.int (snd(dest_eq(snd (des t _thm 
(el 40 asl) )) ) ) ) -3 ) ) 

] « (subtract asl[(el 1 asl)])) (el 1 asl)) )) ))) 

THEN ASM.REWRITE.TAC [PAIR.EQ] 

THEN REWRITE.TAC [update. reg; PAIR.EQ ; EL.SET.EL] 

; 7, subgoal 2.2 valid.address 7. 

POP_ASSUM(Nthm . ASSUME.TAC (REWRITE.RULE [] thm) ) 

THEN NORMAL.SYMB.EXEC 3 T3 

THEN DELETE.USTEP.TAC 1 THEN DELETE.USTEP.TAC 2 



% 

Useful in proving shift correct 

y> 


nap (delete_cache o fstj (cached_theories( ) ) ; ; 

let INDEP.REG.TAC aReg INDEP.THM = 

ASSim_LIST(\asl. REWRITE.TAC 

[(REWRITE.RULE [( SPEC " (update. reg (reg (t :num) ) (F.T.T) 

(add rep(EL p_reg(reg t),vordn (rep: ”rep_ty) 1)))" 

(REWRITE.RULE [REG .LIST. LENGTH] (last asl)) )] 

(SPECL [aReg; " (update_reg(reg (t :nun) ) (F,T,T) 

(add rep(EL p_reg(reg t),uordn (rep : “rep.ty) 1)))" ] INDEP.THM))]);; 

X I” EL 1 = EL x.reg '/, 

let ELX = AP.TERM "EL : nuni-> ( («voi dn) 1 ist->»wordn) " (SYM X);; 

X I- SET.EL 1 = SET.EL x.reg X 

let SET.ELX * AP.TERM "SET_EL:nura->((*wordn)list -> (*vordn -> (*wordn) list ) ) 
(SYM X) ; ; 

let THREE .TUPLE. CASES. ASSOC = prove. thra ( 'THREE.TUPLE.CASES.ASSOC* , 

" !b. 

((((b = T,T,T) \/ (b = F,T,T) ) \/ (b = T,F,T) \/ (b = F.F.T)) V 
((b = T,T,F) \/ (b = F,T,F)) \/ 

(b = T , F , F) \/ 

(b * F,F,F)) 

« ( (b = F , F , F) \/ 

(b * F.F.T) \/ 

(b = F.T.F) \/ 

(b «= F.T.T) \/ 

(b = T.F.F) \/ 

(b = T,F,T) \/ 

(b = T.T.F) \/ 

(b = T.T.T) )", 

GEN.TAC 

THEN ASM.CASES.TAC "(b = F.F.F)" 

THENL [ ALL.TAC ; ASM.CASES.TAC "(b = F.F.T)" 

THENL[ ALL.TAC; ASM.CASES.TAC "(b = F,T,F)" 

THENL[ ALL.TAC; ASM.CASES.TAC M (b = F.T.T)" 

THENL [ ALL.TAC; ASM.CASES.TAC "(b = T.F.F)" 

THENL[ ALL.TAC; ASM.CASES.TAC "(b = T.F.T)" 

THENL [ ALL.TAC; ASM.CASES.TAC "(b « T,T,F)" 

THENL[ ALL.TAC; ASM.CASES.TAC " (b - T.T.T)” 

]]]]]]] 

THEN ASM. REWRITE.TAC [OR. CLAUSES ; PAI R.EQ] 


138 


);; 

let THREE, TUPLE, VALUE. ASSOC. LEMMA = prove, thm ( ‘ THREE. TUPLE, VALUE, ASSOC. LEMMA ‘ , 
"!b. (b = F.F.F) \/ 

(b = F,F,T) \/ 

(b = F.T.F) \/ 

(b = F,T,T) \/ 

(b = T , F , F) \/ 

(b = T,F,T) \/ 

(b = T , T , F) \/ 

(b = T,T ,T) " , 

GEN.TAC 

THEN SUBST.TAC [SYM (SPEC "b" THREE.TUPLE.CASES.ASSOC)] 

THEN REWRITE.TAC [(SPEC "b" THREE.TUPLE.VALUE. LEMMA)] 

let THREE.TUP LE_ IMP 1 = prove, thm ( ‘ THREE.TUPLE.IMP 1 ‘ , 

"!b. ((b = F,F,F) \/ 

(b = F.F.T) \/ 

(b = F.T.F) ) 

==> '((b = F,T,T) \/ 

(b = T,F,F) V 
(b ■= T,F,T) \/ 

(b - T,T,F) \/ 

(b = T,T,T))'\ 

GEN.TAC 

THEN DISCH.TAC 

THEN POP_ASSUM(\thm. DIS J.CASES.TAC thm) 

THEN (POP_ASSUM(\thm. DIS J.CASES.TAC thm) ORELSE ALL.TAC) 

THEN ASM, REWRITE.TAC [PAIR.EQ] 

);; 

let RSF.CASES = SPEC 

"(RSF (rep : ‘ rep.ty ) (f etch rep(rara t, address rep(EL p_reg(reg t)))))" 
TWO.TUPLE. VALUE. LEMMA ; ; 

let DSF.CASES = SPEC 

"(DSF (rep: ‘rep.ty) (fetch rep(ram t .address rep(EL p_reg(reg t)))))" 
THREE.TUPLE.VALUE. ASSOC.LEMMA ; ; 

let AXY.DSF.CASES = 

"‘((DSF (rep: ‘rep.ty ) (fetch rep(ram t, address rep(EL p_reg(reg t)))) » F.F.F) 
\/ (DSF rep(f etch rep(ram t, address rep(EL p.reg(reg t)))) » F.F.T) 

\/ (DSF rep(fetch rep(ram t, address rep(EL p_reg(reg t)))) « F.T.F))";; 

let AXY.IMP 1 = (SPEC 

"(DSF (rep : ‘rep.ty ) (fetch rep(ram t, address rep(EL p_reg(reg t)))))" 
THREE.TUPLE.IMPl) ; ; 
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let RSF.CASES.TAC * 

DIS J_CASES_TAC RSF.CASES 7, cond on RSF - 4 subgoals proved % 

THEN POP_ASSUM(\tha . DIS J.CASES.TAC tha) 

THEN 7, rewrite (reg t+10) with the conditions and asl 7, 

ASSUM_LIST(\asl . let regsVal = (el 14 asl) in ASSUME_TAC( 

REWRITE.RULE [PAIR.Eq ;bt3_val ; (SYM A);(SYM Y);(SYM P) ; ELX ; SET.ELX] 
(ONCE_REWRITE_RULE[update_reg] 

(REWRITE.RULE ( (subtract asl [regsVal] ) 6 

[bt2_val ;bt3.val; (SYM A) ; (SYM Y) ; (SYM P)] ) regsVal ))) ) 

THEN ASM.REWRITE.TAC [PAIR.EQ ;EL_SET_EL] ; ; 

let ELP.SET.ELP « TAC.PROOF (([], M ! (newVal : ♦wordn) b. 

(EL p.reg (update.reg (reg (t:num)) (F,T,T) b newVal)) = newVal"), 
REPEAT GEN.TAC 

THEN REWRITE.TAC [update. reg ;bt3_val;(SYM P) ; EL.SET.EL; PAIR.EQ] );; 

let EL.COND.THM = TAC.PROOF <([], M ‘ (regs : *wordn list) sel. 

(EL( (sel = F , F) => a. reg I 
(sel * F,T) => x.reg | 

(sel * T,F) *> y.reg I 
p.reg ) regs ) * 

((sel * F , F) => EL a_reg regs | 

(sel ■ F , T) => EL x.reg regs I 

(sel * T,F) *> EL y_reg regs I 

EL p_reg regs ) M ) , 

GEN.TAC THEN GEN.TAC 
THEN COND.CASES.TAC 
THEN REWRITE. TAG [] 

THEN COND.CASES.TAC 
THEN REWRITE.TAC [] 

THEN COND.CASES.TAC 
THEN REWRITE.TAC [] 

); ; 

let SPEC1 _EL.COND.THM = 

SPECL [" (update.regC (reg (t : num) ) : *wordn list ) (F.T.TKb t) 

(add (.rep : "rep.ty ) ( EL p_reg(reg t),wordn rep 1)))"; 

"(RSF (rep : “rep.ty) (letch rep (ram (t:num), 

address rep(EL p.reg(reg t))))) M ] 

EL.COND.THM; ; 

let bt2.reg.def * REWRITE.RULE [(SYM A) ; (SYM X) ; (SYM Y) ; (SYM P)] bt2.val.def; 
let INDEP.A.UPDATEl = prove. thin ( ‘ INDEP.A.UPDATEl ‘ , 


HO 


"!(l:*wordn list) (n:num) (z:*wordn). 

( ((n - x.reg) \/ (n = y.reg) \/ (n = p.reg)) /\ 
(LENGTH 1 - p.reg) ) 

=“> ((EL n (SET.EL a_reg 1 z) ) * EL n 1)", 
EL.SET.EL.TAC ) ; ; 

let INDEP.X.UPDATEl = prove.thm ( * INDEP.X.UPDATEl ‘ , 

" ■ (1 : *wordn list) (n:num) (z:*uordn). 

( ((n = a.reg) \/ (n = y.reg) \/ (n = p.reg)) /\ 
(LENGTH 1 = p.reg) ) 

==> ((EL n (SET.EL x.reg 1 z) ) * EL n 1)", 
EL.SET_EL.TAC );; 

let INDEP.Y.UPDATEl = prove.thm ( 1 INDEP.Y.UPDATEl ‘ , 

" ! (l:*»ordn list) (ninura) (z:*wordn). 

( ((n « a.reg) \/ (n = x.reg) \/ (n « p.reg)) /\ 
(LENGTH 1 = p.reg) ) 

“> ((EL n (SET.EL y.reg 1 z) ) = EL n D", 
EL_SET.EL.TAC ) ; ; 


let INDEPENDENCES AC UPDA I'E.'J'HM = '/. 32b. 6 7. 

ASSUM_LIST(\asl . ASSUME.TAC( 

(REWRITE. RULE [( SPEC " (update_reg(reg (t :num) ) (F,T,T) (b t) 

(add rep(EL p_reg(reg t),wordn (rep: “rep.ty) 1)))" 

(REWRITE.RULE [REG.LIST. LENGTH] (last asl)) )] 

(SPECL [" (update_reg(reg (t :num) ) (F,T,T) (b t ) 

(add rep(EL p_reg(reg t),wordn (rep: "rep.ty ) 1)))"] UPDATE.THH )))) 
THEN POP_ASSUM(\thm. REWRITE.TAC LELP.SET.ELP ; 

(REWRITE.RULE [] (SPEC "a.reg" thm )); 

(REWRITE.RULE [] (SPEC "x.reg" thm )); 

(REWRITE.RULE [] (SPEC "y _reg" thm )); 

(REWRITE.RULE [] (SPEC "p.reg" thm ))] );; 

let EXPAND.REG.TAC = 7. 23S.0s 7. 

ASSUM_LIST(\asl . let regsVal = (el 13 asl) in ASSUME_TAC( 
REWRITE.RULE [PAIR.EQ ; bt3_val ; (SYM A) ; (SYM Y);(SYM P) ;ELX;SET_ELX; 
bt2_reg_def ; SPEC1.EL.C0ND.THM ; ELP.SET.ELP] 
(ONCE.REWRITE.RULE [update. reg] 

(REWRITE.RULE ( (subtract asl [regsVal] ) 9 

[bt2_val ;bt3_val ; (SYM A) ; (SYM Y);(SYM P)]) regsVal ))) );; 

let EXPAND.B.TAC = 7. 235.0s 7. 

ASSUM_LIST(\asl . let bVal = (el 8 asl) in ASSUME_TAC( 

REWRITE.RULE [PAIR.EQ ; bt3.val ; (SYM A);(SYM Y);(SYM P) ; ELX ; SET.ELX ; 
bt2_reg_def ;EL_COND_THM; ELP.SET.ELP] 


(REWRI TE.RULE C [subtract asl[bVal]) <0 
[bt2_val ; bt 3_val ; (SYM A) ; (SYM Y) ; (SYM P) ] ) bVal )));; 

let EXPAND.COND.TAC thraNua = 

ASSUM_LIST(\asl . let thm s (el thmNum asl) in ASSUME_TAC( 
REWRITE.RULE [PAIR_EQ ; bt3_val ; (SYM A); (SYM Y);(SYM P) ; ELX ; SET_ELX ; 
bt2_reg_def ; EL.COND.THM ; ELP.SET.ELP] 

(REtfRITE.RULE ( (subtract asl[thm]) « 

[bt 2_val ; bt 3_val ; (SYM A) ; (SYM Y);(SYM P)]) thm )) 


let FETCH_OPERAND.CASES.TAC - 

NORMAL.SYMB.EXEC 4 T4 THEN DELETE.USTEP.TAC 3 
THEN NORMAL.SYMB.EXEC 5 T5 THEN DELETE.USTEP.TAC 4 

THEN REWRITE.TAC [load_m_expanded ; wr ite.reg.expanded; load.r.expanded ; 

write.preg.expanded] 

X construct MSF cases 7, 

THEN ASSUM.LIST (\asl . ASSUME.TAC ( SPEC (snd(dest _comb(snd(dest_comb(snd( 
dest.comb (rhs (snd(dest_thm ( (el 1 asl))))))))))) 

TWO.TUPLE. VALUE. LEMMA ) ) 

THEN POP.ASSUM(\thm . DIS J.CASES.TAC thm) 

THEN POP_ASSUM(\thm . DIS J.CASES.TAC thm);; 
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let FIND_ASSUM f asl = hd(filter(f o concl) asl);; 


let MSF.CASE_MPC_REWRITE.TAC = 

ASSUM_LIST(\asl . ASSUME_TAC( REWRITE.RULE [(el 1 asl) ; bt2_val] 
(el 2 asl))) 

THEM POP.ASSUM (\thm. ASSUME. TAC ( 

CONV.RULE (ONCE. DEPTH. CONV bt7.ival.C0NV) ( 

CONV.RULE DEC.ADD.CONV ( 

7. DEC.ADD.CONV broken for "0 + 1" 7. 

PURE.ONCE_REWRITE.RULE [ADD.CLAUSES] ( thin)))));; 

let MSF_FT.FF_FETCH.TAC = 

ASSUM_LIST(\asl . REWRITE.TAC [ (el 1 asl ) ; PAIR.EQ] ) 7. 2567.8s 7. 
THEN MSF.CASE_MPC.REWRITE.TAC 

THEN NEXT_SYMB.EXEC.TAC 6 THEN DELETE.USTEP.TAC 5 
THEN NEXT.SYMB_EXEC.TAC 7 THEN DELETE.USTEP.TAC 6 
THEN NEXT.SYMB_EXEC.TAC 8 THEN DELETE.USTEP.TAC 7 
THEN NEXT.SYMB_EXEC.TAC 9 THEN DELETE.USTEP.TAC 8 
THEN NEXT.SYMB_EXEC.TAC 10 THEN DELETE.USTEP.TAC 9 
THEN NEXT.SYMB. EXEC. TAC 11 THEN DELETE.USTEP.TAC 10 
THEN NEXT.SYMB .EXEC. TAC 12 

THEN JMPOPC.POP_ASSUM.TAC THEN DELETE.USTEP.TAC 11;; 


let SYMB.EXEC_ASSUM.TAC mpcAsm theTimeThm ■ 

ASSUM_LIST(\asl . 

IMP.RES.TAC (el (mpc.f rom.thm (el mpcAsm asl) + l) Micro.Int_Inst.list)) 
THEN PQP_ASSUM(\thm . POP_ASSUM(\thral . ASSUM.LIST(\asl . ASSUME_TAC( 
(REWRITE.RULE ([theTimeThm] C asl) thm )))));; 

let SYMB.EXEC. ASSUM.TAC 1 mpcAsm theTimeThm = 

ASSUM_LIST(\asl . 

IMP.RES.TAC (el (mpc.f rom.thm (el mpcAsm asl)+l) Micro.Int_Inst.list) ) 
THEN POP_ASSUM(\thm . POP_ASSUM(\thml . ASSUM_LIST(\asl . 

MAP.EVERY ASSUME.TAC ( (CONJUNCTS ( REWRITE.RULE ( 

[PAIR.EQ ; theT imeThm ; DSF. join.op ; op. j oin.op ; address. join.address ; 
address.pad.address] 6 asl) thm) )))));; 

7. The processor is now stopped due to an addressing exception 7. 

7. specialize and rewrite stop.thm show nothing will change 7. 
let EXTEND. STOP.TAC when M.I.thm = 

ASSUM_LIST(\asl . 

let curTime = (term.to.int 

(rand(rand(fst( dest_eq(snd(dest_thw(el 1 asl))))))) ) in 
let endTime « 

(term.to.int (snd(dest_eq(snd(dest_thw (el when asl) ))))) in 
ASSUME.TAC ( REWRITE.RULE [ (el 1 asl); (el 5 asl) ; (el M.I.thm asl): 

(sumTHM curTime (endTime-curTime) ) ] 
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(SPECL [ ( int_to_tenu (.endTime - curTime )); (t_plus_term curTime)] 
stop_thm) ) ) 

THEN POP_ASSUM(\thm . REWRITE.TAC [(REWRITE.RULE [PAIR.EQ] thm)] ) 

THEN ASM.REWRITE.TAC [] 

THEN REWRITE. TAC [ELP.SET.ELP] ; ; 

let GOOD.DEST.TAC = 

ASSUM_LIST(\asl. DIS J.CASES.TAC (el 14 asl) ) 

THENL 

[ EXPAND.REG.TAC 
THEN EXPAND.B.TAC 

THEN ASM.REWRITE.TAC [PAIR_EQ;EL_SET_EL;DSF_join_op;op_join_op; 

address. join.address ; address.pad.address] 
THEN INDEPENDENCE.TAC INDEP.A.UPDATE1 

POP_ASSUM(\thm. DIS J.CASES.TAC thm) 

THEN EXPAND.REG.TAC 
THEN EXPAND.B.TAC 

THEN ASM.REWRITE.TAC [PAIR.EQ ;EL_SET.EL;DSF. join. op; op. join.op ; 

address. join.address ; address.pad.address] 

THENL 

[ INDEPENDENCE.TAC INDEP.X.UPDATEl ; 

INDEPENDENCE.TAC I NDEP. Y_ UPDATE 1 

] 

];; 

let MSF.TF_FETCH.TAC = 

ASSUM_LIST(\asl . REWRITE.TAC [ Cel 1 asl) ;PAIR_EQ] ) '/. 2567.8s’/. 

THEN MSF.CASE_MPC_REWRITE.TAC 

THEN NEXT.SYMB_EXEC.TAC 6 THEN DELETE.USTEP.TAC 5 
THEN NEXT.SYMB_EXEC.TAC 7 THEN DELETE.USTEP.TAC 6 
THEN NEXT.SYMB_EXEC.TAC 8 THEN DELETE.USTEP.TAC 7 
THEN SYMB.EXEC_ASSUM.TAC 1 T9 
7. case split based on valid address 7. 

THEN ASSUM.LIST (\asl. ASM.CASES.TAC ( (f st (dest.cond 

(pair.el 9 (snd(dest_eq(snd (dest_thm(el 1 asl)))))) )) )) 

THENL 

[ % "valid address X 

POP_ASSUM(\theCase . POP_ASSUM(\thiu. MAP. EVERY ASSUME.TAC ( 

( [theCase] 0 (CONJUNCTS 

(REWRITE.RULE [PAIR.EQ; theCase] thm) ))))) 

THEN DELETE.USTEP.TAC 8 

THEN ASSUM.LIST (\asl . ASSUME.TAC 7. (el 13 asl) is val id. address ... 7. 

(REWRITE.RULE [PAIR_EQ;update_reg] (el 13 asl)) ) 

THEN ASM.REWRITE.TAC [PAIR.EQ) 

X The processor is now stopped due to an addressing exception X 
7. specialize and rewrite stop.thm show nothing will change X 
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THEN ASSUM.LIST (\asl . 

let HLC tok * (rator(lhs( tok))) =? "MacroLevelCycles" 7 false in 
let endT imeThiu = (FIND.ASSUM MLC asl) in 
let curTime = (term.to.int 

(rand(rand(f st ( dest_eq(snd(dest_thm(el 2 asl))))))) ) in 
let endTime = 

(term.to.int (snd(dest_eq(snd(dest_thm (endTimeThm) ))))) in 
ASSUME.TAC (REWRITE.RULE (asl<&[ (sumTHM curTime (endTime-curTime) ) ] ) 
(SPECL [ ( int_to_term (endTime - curTime )); (t.plus.term curTime)] 
stop.thm) ) ) 

THEN POP.ASSUM (\thro . REWRITE_TAC [(REWRITE.RULE [PAIR.EQ] thm)] ) 

THEN ASM.REWRITE.TAC [] 

THEN REWR1TE_TAC [ELP.SET.ELP] 

y now the valid address case '/• 

POP.ASSUM (\thm . ASSUME.TAC ( REWRITE.RULE [] thm )) 

THEN PQP_ASSUM(\theCase . POP_ASSUM(\thm . MAP.EVERY ASSUME.TAC ( 

( [theCase] C (CON JUNCTS (REWRITE.RULE [PAIR.EQ ; theCase] thm) ))))) 
THEN ASSUM.LI ST (\asl . REWRITE.TAC [ (el 13 asl)] ) 

THEN NORMAL_POP.ASSUM.TAC THEN DELETE.USTEP.TAC 8 
THEN NEXT. SYMB .EXEC _TAC 10 THEN DELETE.USTEP.TAC 9 
THEN NEXT. SYMB. EXEC. TAC 11 THEN DELETE.USTEP.TAC 10 
THEN NEXT_SYMB.EXEC.TAC 12 

THEN JMP0PC.P0P_ASSUM.TAC THEN DELETE.USTEP.TAC 11 

];; 

let MSF.TT_FETCH.TAC = 

ASSUM.LIST (\asl . REWRITE.TAC [ (el 1 asl ); PAIR.EQ] ) 7. 2567.8s 7. 

THEN MSF.CASE.MPC_ REWRITE. TAC 

THEN NEXT. SYMB .EXEC. TAC 6 THEN DELETE.USTEP.TAC 5 
THEN NEXT.SYMB_EXEC.TAC 7 THEN DELETE.USTEP.TAC 6 
THEN SYMB.EXEC_ASSUM.TAC 1 T8 
7, case split based on valid address /« 

THEN ASSUM.LIST (\asl. ASM.CASES.TAC ( (f st (dest.cond 

(pair.el 9 (snd(dest_eq(snd(dest_thiu(el 1 asl)))))) )) )) 

THENL 

[y # “valid address 7* 

POP_ASSUM(\theCase . P0P.ASSUM (\thiu . MAP.EVERY ASSUME.TAC ( 

( [theCase] <0 (C0NJUNCTS 

(REWRITE.RULE [PAIR.EQ; theCase] thm) ))))) 

THEN DELETE.USTEP.TAC 7 

THEN ASSUM_LIST(\asl . ASSUME.TAC 7. (el 13 asl) is valid.address ... 7. 

(REWRITE.RULE [PAIR.EQ ; update. reg] (el 13 asl)) ) 

THEN ASM.REWRITE.TAC [PAIR.EQ] 

•/, The processor is now stopped due to an addressing exception 7. 

7, specialize and rewrite stop.thiu show nothing will change 7, 


THEN ASSUM_LIST(\asl. 

let MLC tok = (rator(lhs( tok))) = "MacroLevelCycles" ? false in 
let endTimeThm = (FIND.ASSUM MLC asl) in 
let curTime » (term.to.int 

(rand (rand(f st ( dest_eq(snd(dest_t)uu(el 2 asl))))))) ) i n 
let endTime ■ 

(term.to.int (snd(dest_eq(snd(dest_thm (endTiaeThm) ))))) in 
ASSUME.TAC (REWRITE.RULE (asl«[ (sumTHM curTime (endTime-curTime) )] ) 
(SPECL [(int.to.term (endTime - curTime )); (t_plus_term curTime)] 
stop.thm) ) ) 

THEN POP_ASSUM(\thm. REWRITE.TAC [(REWRITE.RULE [PAIR.EQ] thm)] ) 

THEN ASM.REWRITE.TAC [] 

THEN REWRITE.TAC [ELP.SET.ELP] 

■ ^ now tlie valid address case % 

POP_ASSUM(\thm. ASSUME.TAC ( REWRITE.RULE [] thm )) 

THEN POP_ASSUM(\theCase. POP_ASSUM(\thm. MAP.EVERY ASSUME.TAC ( 

( [theCase] C ( CON JUNCTS (REWRITE. RULE [PAIR.EQ;theCase]tha) ))))) 
THEN ASSUM_LIST(\asl . REWRITE. TAC[(el 13 asl)] ) 

THEN NORMAL.POP_ASSUM.TAC THEN DELETE.USTEP.TAC 7 
THEN NEXT.SYMB.EXEC.TAC 9 THEN DELETE.USTEP.TAC 8 
THEN NEXT.SYMB_EXEC.TAC 10 THEN DELETE.USTEP.TAC 9 
THEN NEXT.SYMB_EXEC.TAC 1 1 THEN DELETE.USTEP.TAC 10 
THEN NEXT.SYMB_EXEC.TAC 12 

THEN JMPOPC.POP.ASSUM.TAC THEN DELETE.USTEP.TAC 11 


loadf ‘digit 1 ; ; 
loadf ‘decimal 4 ; ; 
loadf ‘ tuple 4 ; ; 

loadf 4 abstract 4 ; ; 

load.parent 4 mac.I';; 

map new.parent [ 1 aux.def 4 ; ‘micro.def 4 ; 4 regs.def 4 ; 
‘aux.thms 4 ; ‘time.abs 4 ; 4 gen_I 4 ];; 

let rep.ty - abstract. type ‘aux_def 4 ‘opcode 4 ;; 


let ABS.ENV * definition ‘macro.def* ‘ABS.ENV*;; 
let Opcode * definition ‘macro.def 4 ‘Opcode 4 ;; 

let Opc_Val * definition 'macro.def* ‘Opc.Val 4 ;; 

let Macro.Int.IMPL. IMP = theorem 4 mac_I 4 4 Macro. Int. IMPL. IMP 4 ; ; 

let Micro.state.to.Macro. state = definition ‘mac.I 4 

4 Micro.st at e_ t o.Macro.state ‘ ; ; 

let macro. inst.list = definition ‘macro.def* 1 macro.inst .1 ist 4 ; ; 

let GetMPC = definition ‘micro.def 4 ‘GetMPC 4 ;; 

let add_bt7 * definition 'micro.def 4 4 add_bt7 4 ;; 

let Next * definition ‘time.abs 4 'Next 4 ;; 

let Micro. I = theorem ‘micro. aux 4 ‘Micro.I 4 ;; 

let MacroLevelCycles = definition ‘mac. 1 4 4 MacroLevelCycles 4 ; ; 

let I_.rep.ty = abstrac t.type ‘gen.I 4 ‘Irapl 4 ;; 

let macro. state * " : (*vordn#*uordn#*wordn#*vordn#bool#bool#*wordn#*memory) 

7, a x y p b stop ir ram */* 

let macro.env = M :(bool)" ;; 

let micro.state = " : ( ( Owordn)list )#*wordn#*wordn# 

*wordn#*wordn#*memory#bool#bool#bool#*address#*wordn#bt7) " ; ; 

let micro.env = M : (bool ) " ; ; 

let load.macro.inst = (\x. definition ‘macro.def 4 x) ; ; 

let macro.def n.list = map load.macro.inst 
[ 4 NOOP.M 4 ; 4 SHR 4 ; 4 SHRB 4 ; 4 SHLB 4 ; *SHL‘; 

‘CMP 4 ; 4 WRITEM l ; 'WRITEIO 4 ; 4 NEC 4 ; ‘CALL 4 ; 

‘READIO 4 ; 1 READM 4 ; 4 ADDB 4 ; ‘ADDS 4 ; 4 SUBB 4 ; 



‘SUBO 1 ; * XQR ‘ ; ‘AND 4 ; ‘NOR 4 ; 1 ANDMBAR ‘ ; . 

‘NOOP.M*; ‘NOOP.M*; ‘NOOP.M 4 ; ‘NOOP.M*; 'NOOP.M*; 

‘NOOP.M*; ‘NOOP.M 4 ; 4 NOOP.M 4 ; ‘NOOP.h* ; ‘NOOP.M 4 ; 

‘NOOP.M*; ‘NOOP.M*];; 

let load. micro. ins t » (\x. theorem 1 micro. def 4 x);; 

let Micro. state.to.Macro.st ate « definition *mac_I‘ 4 Micro.state. to. Macro. state 4 

X 

I need some theorems about SUM not provided in the theory 

- x 

let sum. axiom * 

BETA.RULE ( 

REWRITE.RULE [o.DEF] ( 

CONV.RULE (TOP .DEPTH .CON V FUN.EQ.CGNV) suiu.Axiom) ) ; ; 


X - - - 

Some ML function for the inference rules that follow. 

X 

let last 1 * (el (length 1) 1);; 

letrec term.list.el n 1 » ( 

let tm.hd x * rand(f st (dest.comb x)) and 
tm.tl x * snd(dest.comb x) in 
if (n - 0) then tm.hd 1 else 
term.list.el (n-1) (tm.tl 1)) 7 
failwith ‘term.list.el*;; 


X — 

This is insecure for right now. If anyone is seriously concerned 
that this isn’t right, I’ll do it over. 

y # 

let EL.CONV tm * ( 

let ((c,n),l) a ( (dest.comb#I )o dest.comb) tm in 
let n.int ■ term.to.int n in 

mk_thm( tm * "(term.list.el n.int 1)")) ? 

failwith ' EL.CONV 4 ; ; 


V.' 


EL.CONV "EL 3 [0; 1 ;2;3 ;4 ;5] " ; ; 

- - X 

X— - 

Some other nice conversions 

y # 
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let is.SND.term t ■ 
if is.comb t then 

f st (dest. const (fst (strip, comb t))) ‘SND‘ 

else 
false ; ; 

let SND.CONV t = 

if is.SND.term t then 

let op,pr = dest. comb t in 

let op,[tl;t2] = strip. comb pr in 

SPECL [t 1 ; t2] ( 

INST.TYPE [((type. of tl) p M :* M ); 

( ( type_of t2) ,":**")] SND) 

else 

f ailwith ‘ SND.CONV 4 ; ; 

let ADD. ASSOC. CON V t = 
let opl , [t 1 ; 1 2] = strip.comb t 
in 

let op2,[t3;t4] = strip. comb t2 
in 

if opl * "$+ M t op2 = M $+" 
then SPECL [t 1 ; t3 ; t4] ADD.ASSOC 
else fail ; ; 


7 . 

INV.ADD. ASSOC. CON V n (a+b)+c n — > |- la+b)+c * a+(b+c) 

7 . 

let INV.ADD. ASSOC * (GEN. ALL o SYM o SPEC.ALL) ADD.ASSOC; 

let I NV_ ADD. ASSOC. CON V t * 
let opl , [t 1 ; 1 2] » strip.comb t 
in 

let op2,[t3;t4] *= strip.comb tl 
in 

if opl * "$+" fc op2 * "$ + ” 

then SPECL[t3;t4; t2] INV_ ADD.ASSOC 
else fail ; ; 

let inv.mua.CQNV n = ( 

let x,y = dest.comb n in 

let y.inc * int.to.tenu ( (terra. to. int y) + 1) m 
if not(x * "SUC") then fail else 
SYM. RULE (num.CONV y. .inc) ) 

? failwith ‘ inv. num.CONV ‘ ; ; 



let instructions = map load_micro_inst 


[‘ FETCH_ul 1 

; ‘FETCH_u2‘ ; ‘ FETCH_u3 

* ; * FETCH_u4 * 

‘ JMP.reqm 1 

; * JMP_opc 

; * NODP 1 ; 1 

SHRS.ul* ; 

‘SHRB.ul* ; 

‘ SHLB.ul 1 

; ‘ AXY.WRITE 1 

; 1 SHLS_ul * ; 

‘N0_0VL‘ ; 

* NOOP ‘ 

; 1 AXY.WRITE 1 

; c SHRS_u2 * ; 

‘NOOP’ ; 

‘AXY.HRITE 1 ; ‘SHRB_u2‘ 

; ‘NOOP* ; 

1 AXY.WRITE 1 

; ‘ SHLB_u2 1 ; ‘NOOP 1 ; 

* MFG_ul * ; 

1 MFl.ul 1 ; 




1 MF2_ul 1 ; 

* MF3_ul 4 ; 

‘MF3_u2‘ ; ‘FETCH_u3‘ ; 

‘MF3_u4‘ ; 

‘MF3_u5 * ; 

‘MF3_u6sl‘ ; 

‘MF3_ulw4‘ ; 

1 MF3_u6 1 ; 

‘MF3_u4 * ; 

‘MF3_u5w3‘ ; 

*MF3_u6‘ ; 

‘MF3_ul‘ ; 

‘MF2..u3‘ ; 

1 FETCH_u3‘ ; 

‘ MF3_u4 ‘ ; 

‘MF3_u5‘ ; 

‘MF3_u6‘ ; 

1 COMPARE.ul ‘ 

; ‘VRITEMEM.ul 


‘WRITEIO.ul ‘ ; ‘NEG.ul 1 ; ‘CALL.ul 1 ; ‘READI0_ul‘ ; 
‘ READMEM_ul ‘ ; ‘ ADDB.ul ‘ ; ‘ADDS.ul 1 ; ‘SUBB.ul 1 ; 

‘ SUBS_ul ‘ ; ‘XOR.ul* ; ‘AND.ul 1 ; ‘NOR.ul 1 ; 

‘ ANDMBAR_ul ‘ ; ‘NOOP 1 ; *COMPARE_u2‘ ; ‘NOOP 1 ; 

‘ WRITEMEM_u2 1 ; ‘NOOP 1 ; ‘WRITEIO_u2‘ ; ‘NOOP 1 ; 

‘ AXY_WRITE‘ ; ‘ NEGATE_u2 1 ;‘NOQP‘ ; ‘CALL_u2‘ ; 

1 CALL_u3 1 ; ‘FETCH_u3‘ ; ‘NOOP‘ ; ‘READI0_u2‘ ; 
‘MF3_u5‘ ; ‘READIO_u4‘ ; ‘NOOP 1 ; ‘READI0.u4‘ ; 

‘ CK_VALID_PC 1 ; ‘N00P‘ ; ‘ADDB_u2‘ ; ‘NOOP 1 ; 

1 ADDS_u2 1 ; 1 CK_VALID_PC‘ ; ‘NO.OVL 1 ; ‘NOOP 1 ; 

1 SUBB_u2 ‘ ; 


‘NOOP 1 ; 
‘NOOP* ; 

* SUBS_u2 * 

; 1 CK_VALID_PC‘ ; ‘ND.QVL 1 

* X0R_u2 ‘ 

; ‘NOOP* 

; 1 AND_u2 1 : ‘NOOP 1 ; 

* NQR_u2 * 

; ‘NOOP* 

; ‘wait_4‘ ; ‘Hait_3‘ ; 

‘ wait_2‘ 

; *wait_l 

1 ; ‘MF3_u6‘ ; ‘NOOP 1 ; 

‘NOOP* ; 

‘NOOP* ; 

‘NOOP 1 ; ‘NOOP 1 ; 

‘NOOP* ; 

* NOOP ‘ ; 

‘NOOP 1 ; ‘NOOP 1 ; 

‘NOOP* ; 

‘NOOP* ; 

‘NOOP 1 ; ‘NOOP 1 ; 

* NOOP * ; 

‘NOOP* ; 

‘NOOP 1 ; ‘NOOP 1 ; 

‘NOOP* ; 

‘NOOP* ; 

‘NOOP 1 ; ‘NOOP 1 ; 

‘NOOP* ; 

‘NOOP* ; 

‘NOOP 1 ; ‘NOOP 1 ; 


‘NOOP 1 ];; 


let micro_inst_list = definition ‘micro.def' ‘micro.inst.list 1 ; ; 


X 

Beginning of MPC 


let FETCH.ADDR = "(F,F,F,F,F,F,F)" ; 


7 . 


% 

Offset into microrom lookup table may need to change 
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let OFFSET = '’4"; ; 


% 

Using MK .Micro.Int. Inst. LEMMA , ve can prove a lemma of the form 

j- Micro.Int 
rep 

(\t. (reg t,psw t,pc t ,mem t,ivec t,ir t.aar t,mbr t,mpc t)) 

(\t. (int.e t,reset_e t)) ==> 

(!t. 

(mpc t = F,F,T,F,T,T) ==> 

(reg(t + 1) ,psw(t + l),pc(t + l),mem(t + l)>ivec(t + 1) ,ir(t + 1), 
mar(t + l),mbr(t + l),apc(t + 1) = 

ST.ul 

rep 

(reg t,psv t,pc t f mem t,ivec t , ir t,mar t,mbr t , F, F t T,F ,T,T) 
(int.e t,reset_e t))) 

for every microinstruction, by simply giving its position in the 
list. Mapping the inference rule onto a list of integers from 0 
to 127 yields a list of lemmas for each micro instruction. The 
entire process (exclusive of autoloading time) takes < 700 sec. 

let Micro.Int. SPEC = 

PURE.ONCE_REWRITE.RULE [micro. inst. list ;GetMPC] ( 

BETA. RULE ( 

SPECL ["rep : “rep.ty" ; 

(\t. (reg t,m t, ins t, din t, dout t, ram t, b t, stop t, ovl t , 
mar t, res t r mpc t) ) : t ime->“micro_state"; 

n (\t. (reset. e t) ) : t ime-Vmicro.env"] Micro. I));’; 

let MK.Micro.Int. Inst .LEMMA inst = 

let tp = mk.n.tuple.f rom.int 7 inst in 
let mpc. term = "mpc t = “tp" in 
DISCH.ALL ( 

GEN "t" ( 

DISCH mpc. term ( 

SUBS [SPECL ["rep : * rep. ty " ; 

"reg t: (**ordn) list" ; 

"a t : ♦eordn" ; 

"ins t:*wordn"; 

"din t : *wordn" ; 

"dout t:*eordn"; 

"ram t : *memory" ; 

"b t :bool" ; 
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"stop t :bool" ; 

"ovl t:bool"; 

"mar t : *address" ; 

"res t:*wordn"; 
tp; 

"reset.e t:bool M ] (el (inst+1) instructions)] ( 

CONV.RULE (DEPTH. CONV SND.CONV) ( 

CONV.RULE (ONCE.DEPTH.CONV EL.CONV) ( 

SUBS [bt7.val.C0NV M bt7_val “tp u ] ( 

SUBS [ASSUME mpc.term] ( 

SPEC. ALL ( 

SUBS [Micro.Int.SPEC] ( 

ASSUME 

"Micro. I (rep: ~rep_ty) 

(\t . reg t,m t, ins t, din t, dout t, ram t, b t, stop t, ovl t 
mar t , res t , mpc t ) 

(\t. reset.e t)"))) ))))))); ; 

let mk.num.list n = 

letrec mk_num.list.aux n m = 
if n * m then [m] else 
(n . (mk.num.list. aux (n+1) m)) in 
mk_num.list.aux 0 n; ; 


7 * 

MODIFY FOR A TEST 

let Micro.Int_Inst.list = map MK.Micro.Int. Inst .LEMMA (mk.num.list 32);; 

% 

let Micro_Int.Inst.list = map MK.Micro_Int.Inst .LEMMA (mk.num.list 127) ; 


y. 

correct up to here 

1 


% 

Normalize top assumption (get rid of add_bt7) 



let NORMAL.POP_ASSUM.TAC = 

POP.ASSUM (Ythm. ASSUME.TAC ( 

CONV.RULE (ONCE.DEPTH.CONV bt7.ival.C0NV) ( 

CONV.RULE DEC.ADD.CONV ( 

% DEC.ADD.CONV broken for "0 + 1” */. 

PURE.ON CE.REWRITE.RULE [ADD.CLAUSES] ( 

CONV.RULE (ONCE.DEPTH.CONV bt7_val_C0NV) ( 

REWRITE.RULE [add_bt7] thm))))));; 
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let RANGE.LEMMA = TAC.PROOF 

(([], 

"!tl t2 (mpc : time->bt7) x . 

( ! t ’ . 1 1 < t ’ /\ t> < t2 ==> ‘ (mpc t’ =■ x)) A 
"(mpc t2 = x) ==> 

(!t’. tl < t’ A t’ < (t2 + 1) ==> *(mpc t’ = x) ) " ) , 
REPEAT STRIP.TAC 

THEN ASSUM.LIST (\asl. ASSUME. TAC ( 

SPEC "t ’ : time" (el 5 asl))) 

THEN ASSUM.LIST (\asl. STRIP.ASSUME.TAC ( 

REWRITE.RULE [SYM.RULE ADD1 ; LESS.THM] (el 3 asl))) 
THENL [ 

ASSUM.LIST (\asl. ASSUME.TAC ( 

REWRITE.RULE [el 1 asl] (el 3 asl))) 

f 

ALL.TAC 

] 

THEN RES.TAC 

);; 

let LESS.SQUEEZE.LEMMA = 
let LESS.EQ.SUC = 

SYM.RULE ( 

PURE.ONCE_REWRITE.RULE [DISJ.SYM] LESS.THM) in 
PURE.ONCE_REWRITE.RULE [ADD1] ( 

PURE_ONCE.REWRITE.RULE [LESS.Eq.SUC] ( 
PURE.ONCE_REWRITE.RULE [LESS.OR.EQ] LESS.EQ.ANTISYM) ) ; ; 


let Macro.Int.IMPL.IMP.LEMMA = 

BETA. RULE ( 

REWRITE.RULE [Opcode ; Opc.Val ; GetMPC; Micro.st ate.to.Macro. state ; Next] ( 

BETA.RULE ( 

SPECL [ M rep: "rep.ty" ; 

"(Yt. (reg t,m t , ins t,din t,dout t, ram t,b t,stop t,ovl t, mar t, res t, mpc t)) 
:time->~micro_state M ; 

"(\t. (reset. e t ) ) : time->~micro_env n ] Macro_Int.IMPL.IMP)));; 

let (INST.LOOP.TAC tm.init ) :tactic = 
let is.begin thm = 

snd(dest_eq thm) = FETCH. ADDR in 
let tuple.val thm = 

term.to.int (bt.val.f unc (snd(dest_eq t’hm))) in 
letrec INST.LOOP_TAC.AUX tm ( (asl ,w) : goal) = 
let INST.TAC n = 

IMP.RES.TAC (el n Micro.Int.Inst.list ) THEN 
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ASSUM.LIST (\x. MAP.EVERY ASSUME.TAC ( 

CONJUNCTS ( 

REVRITE.RULE [PAIR.EQ] (el 1 x)))) in 
let n = (tuple.val (el 1 asl)) + 1 in 
let gl,p = INST.TAC n (asl,w) in 
let (asl*,?’) = (hd gl) in 
let gll,pl = split ( 
if (is.begin (el 1 asl’)) then 
map (EXISTS.TAC tm) gl else 
map (INST.LOOP_TAC.AUX M (*tm)+1 M ) gl) in 
(flat gll,(p o mapshape (map length gll)pl)) in 
INST_L00P.TAC.AUX " (~tm.ini t + 1)";; 

let DECQDE.M.CORRECTLY.IMP = new.def init ion 
( ‘ DECODE.M.CORRECTLY. IMP ‘ , 

"DECODE_M.CORRECTLY.IMP (rep : ~rep_ty) = 

! (ins:*wordn) (b:bool) . 

let ins.dec = (decode rep (opcode rep ins, b)) in 
let opc = (FST (SND ins.dec)) in 
let mem.req = (SND (SND ins.dec)) in 

let dec.stop * (FST ins.dec) in 
(((opc = (F,F,F,F,F)) V 
(opc = (F,F,F,F,T) ) \/ 

(opc = (F t F,F,T,F)) \/ 

(opc = (F,F,F ,T,T) ) \/ 

(opc = (F,F,T,F,F)) ) => ( (mem.req = F) /\ (dec.stop = F)) I 
((opc = (T,T,T,T,T) ) => ((mem.req = F) /\ (dec.stop = T)). I 
((mem.req * T) A (dec.stop = F))))");; 

let MK.INST.C0RRECT.G0AL n = 
let inst * term.list.el n 
(snd(dest_eq( 

snd(dest.forall(concl macro.inst.list ) ) ) ) ) in 

" ! (rep: “rep.ty) (regs : time-> (*Hordn) list ) (m ins din dout : time->*wordn) (ram: time->*memory) 
(b stop ovl : time->bool) (mar : t ime->*address) (res : time->*wordn) (mpc : time->bt7) 

(reset. e : time->bool) . 

DEC0DE.M.C0RRECTLY.IMP rep ==> 

(Macro_Int.IMPL.IMP rep 

(\t. (reg t,m t , ins t,din t,dout t, ram t,b t.stop t.ovl t , mar t, res t, mpc t)) 

(\t. reset.e t) ~inst) M ;; 

let stop.thm = prove.thm ( ‘stop.thra 4 , 

" ! (n:num) (t :num) . 

((Micro. I (rep : ~rep_ty) 

(\t. reg t,m t, ins t, din t, dout t, ram t, b t, stop t, ovl t, 
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mar t, res t, mpc t) 

(\t. reset.e t) /\ 

(stop t)) /\ 

(mpc t = (F,F,F,F,F,F,F))) ==> 

(reg(t + n) ,m(t + n),ins(t + n) ,din(t + n),dout(t + n) ,ram(t + n) , 
b(t+n) .stop ( t+n) , ovl (t +n) , mar ( t+n) , res (t+n) ,mpc (t+n) = 

( re g t , o t , ins t ,din t,dout t,ram t,b t,stop t,ovl t,mar t,res t, 
mpc t ) ) " , 

INDUCT.TAC THENL [REVRITE.TAC [ADD.CLAUSES] ; 

(GEN.TAC 
THEN STRIP.TAC 

THEN ASSUM.LIST (\asl. MAP.EVERY ASSUME.TAC (CONJUNCTS 
(REWRITE.RULE [(el 1 asl); (el 2 asl); 

(el 3 asl); PAIR.EQ] (SPEC "t:time" (el 4 asl))))) 

THEN PURE.REVRITE.TAC [ADDl] 

THEN PURE_ONCE_REWRITE_TAC [ADD, ASSOC] 

THEN IMP_RES_TAC (el 1 Micro_Int_Inst_list) 

THEN ASSUM.LIST (\asl. HAP.EVERY ASSUME.TAC 

(CONJUNCTS (REWRITE.RULE [(el 8 asl) ; PAIR.EQ] (el 2 asl)))) 

THEN ASM_REWRITE_TAC[] )] ) ; ; 

map (delete.cache o fst) (cached.theoriesO) ; ; 

let T_PLUS_7_LEMMA = TAC.PROOF 

(([], "! t . t+7* (((((( (t+l) + l) + l)+l) + l) + l) + l) ") ( 

GEN.TAC 

THEN REPEAT (PURE.ONCE.REWRITE.TAC [SYM.RULE ADD.ASSOC] 

THEN DEC.ADD.TAC) ) ; ; 




Appendix E: MICRO LEVEL SPECIFICATION 


*/. 


File: ucode.aux . ml 

Description: Defines the ML functions and constants necessary to describe 

the microintrcutions. This file is loaded by several files 
that draft theories. 


Modified by ETS : 

Includes new wait microinstruction labels 
Removed seq control case stop_ovl_ill_pdest 
This case can be simulated by using 
stop_ovl and stop_ill_pdest . 

Added stop_pcvrite . 


■y. 


set_search_path (search_path() ® lib_dir_list ) ; ; 
system Vbin/rm ucode_aux. th‘ ; ; 
new.theory ‘ucode_aux ‘ ; ; 
map new_parent [‘tuple'; ‘decimal'];; 


% 

The functional representation of a microinstruction: 

(address, seq_alu_ctl(seq, alu) , dec.ctl (sig) , mem(op) , 

srcdst(rfc, dfc, rfsel, dfsel), enable (copy) , select (addr out , datain, mout) ) 

The possible values of various arguments is as follows: (X =* don’t care) 
address - symbol / X7 

seq - idle / mjmp / opcjrap / jmp / stop.ovl / stop_ill_addr / 
stop_ill_pdest / stop_pcwrite 

alu - mthro (or idle) / rthro / compare / negate / add_bcarry / 

add / sub_bcarry / sub / xor / and / nor / and_not / 
shr.s / shr_b / shl_s / shl_b 
sig - inhibit / allow 
op - idle / rio / rmem / wio / wmen 

rfc - inst_rf (or X) / m_rf 

dfc - inst.df (or X) / m_df 

rfsel - regA (or X) / regX / regY / regP 

dfsel - regA (or X) / regX / regY / regP / regM / regADDR 

copy - none / data / res / both 






rr" 


PRECEDING P/lGE BLANK NOT FILMED 



addrout - p (or X) / addr 

datain - m (or X) / ins 

mout - m (or X) / one / addr 



Definition of labels in microcode 

y 

let X7 = "(F,F,F,F,F,F,F)"; ; 
let fetch = " (F ,F, F, F , F, F, F)" ; ; 
let noop = " (F, F , F, F,T,T,F) " ; ; 
let shrsl = "(F,F,F,T,T,T,F)"; ; 
let shrbl = M (F,F,T,F,F,F,T)" ; ; 
let shlbl = "(F,F,T,F,T,F,F)" ; ; 
let mfO = "(F,F,T,F,T,T,T)"; ; 
let mf 01 = " (F,T, F, F, F,F ,F) " ; ; 
let nf 11 = "(F,T,F,F,F,T,F)"; ; 
let mf 21 = "(F,T,F,F,T,F,T)"; ; 
let base = "(F ,T , F , F, T,T ,F) " ; ; 
let compare 1 = "(F.T.T.T.T.F.F)" ; ; 
let writememl = "(F,T,T,T,T,F,T)"; ; 
let sriteiol = " (F ,T,T,T,T,T,T) " ; ; 
let negl = "(T , F, F , F, F.F.T) " ; ; 
let calll = "(T,F,F,F,T,F,F)"; ; 
let readiol = " (T,F,F,T,F,F,F)"; ; 
let readmeml = "(T.F.F.T.T.F.F)"; ; 
let addbl = "(T,F,F,T,T,T,T)"; ; 
let addsl = " (T , F ,T , F , F, F,T) " ; ; 
let subbl = "(T,F,T,F,T,F,T)"; ; 
let subsl = "(T,F,T ( F,T,T,T)"; ; 
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let xor 1 = " (T,F,T , T, F,!,!) ; 
let andl = n (T, F,T ,T,T,F,T) M ; ; 
let norl = "(T,F,T,T,T i T ( T) ■*; ; 
let wait.l = M (T,T r F,F,T,F > F) M ; ; 
let wait. 2 = " (T , T , F , F , F ,T ,T) n ; ; 
let wait. 3 = " (T,T,F,F,F,T,F) ; 
let wait. 4 = M (T , T , F , F , F , F ,T) " ; ; 

let X = 0 ; ; % dont care 7* 

let idle = 0; ; % idle 7, 


% 

Definition of control signals for microsequencing logic 



7. idle = 0 % 

let mjmp = 1 ; ; 

let opcjmp - 2 ; ; 

let jmp = 3 ; ; 

let stop.ovl = 4 ; ; 

let stop.ill.addr =5;; 

let stop.ill.pdest = 6; ; 

let stop.pcwrite ■ 7 ; ; 

let seq.ctl x = 

(x = idle) => M (F, F, F)” I 
(x = mjmp) => " (F , F, T)" I 
(x = opcjmp) => n (F, T, F) M | 

(x = jmp) => "(F, T, T) " I 

(x = stop.ovl) => M (T, F, F)" | 

(x = stop_ill_addr) => M (T, F, T) M | 

(x = stop.ill.pdest ) => "(T, T, F)" -| 

M (T, T, T) M ;; 



Definition of control signals for alu 




% idle = 0 % 


let mthro = 0 ; ; 
let rthro = 1 ; ; 
let compare =2;; 
let negate = 3 ; ; 
let add_bcarry - 4; ; 
let add - 5 ; ; 
let sub_bcarry =6;; 
let sub * 7 ; ; 
let xor = 8 ; ; 
let and = 9 ; ; 
let nor = 10;; 
let and_not = 11 ; ; 
let shr.s = 12 ; ; 
let shr.b - 13 ; ; 
let shl_s - 14 ; ; 
let shl_b - 15 ; ; 
let alu_ctl x = 

(x = idle) => n (F , F, F, F) " I 
(x = mthro) => "(F, F, F, F) n I 

(x = rthro) => "(F, F, F, T) M I 

(x = compare) => "(F, F, T> F) n 
(x = negate) => "(F, F, T, T) M 
(x = add.bcarry) => M (F, T, F, 
(x = add) => M (F, T, F, T)“ I 
(x = sub.bcarry) => "(F, T» T, 
(x = sub) => M (F, T, T, T) M I 

(x = xor) => n (T, F, F > F) M \ 

(x = and) => " (T, F, F, T) M I 

(x = nor) => " (T, F, T, F)" I 

(x = and.not) => "(T, F, T, T)' 
(x = shr_s) => n (T, T, F, F) M 

(x = shr.b) => " (T , T, F, T) n 


I 

F)" 1 
F) M I 
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(x = shl_s) => "(T, T, T, F) M I 
" (T , T, T, T) M ; ; 

let seq_alu_ctl (seq, alu) = 

M ( " (seq^ctl seq) , "(alu.ctl alu)) M ;; 


X 

Definition of decoder control signal 

% 


let inhibit = M F" ; ; 

let allow = "T" ; ; 

let dec_ctl (sig) = M ~ s ig " ; ; 


X 

Definition of memory control signals 

1 


let rio * 1 ; ; 

let rmem = 2 ; ; 

let wio = 3 ; ; 

let wmem = 4 ; ; 

let mem (op) = 

(op = idle) => " (F, F,F) M I 
(op = rio) => "(T,F,T) M l 
(op = rmem) => "(T > F,F) n I 
(op = wio) => " (F ,T,T) n | 
M (F,T,F) n ; ; 


X 

Definition of source & destination reg select lines 

let regA * 0 ; ; 
let regX = 1 ; ; 
let regY = 2 ; ; 
let regP * 3; ; 
let regM = 6; ; 
let regADDR = 7 ; ; 


■X 
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let inst_rf = 0;; 


let m_rf = 1 ; ; 
let inst_df = 0;; 
let m_df = 1 ; ; 
let rf x = 


((x ■ 

= regA) 

or 

(x * 

X)) 


=> 

(x = 

regX) 

=> 

" (F, 

T) 11 

1 


(x = 

regY) 

=> 

"(T, 

FV 

1 





"(T, 

TV 

- 


df x 

= 






((x = 

= regA) 

or 

(x = 

X)) 


=> 

(x = 

regX) 

=> 

n (F, 

F, 

TV 

1 1 

X 

It 

regY) 

=> 

H (F, 

T, 

FV 

1 1 

(x = 

regP) 

=> 

M (F, 

T, 

TV 

1 1 

(x * 

regM) 

=> 

" (T » 

T, 

F) 1 

’ 1 

(x = 

regADDR) 

=> " 

(T, 

T, 

T) 


M (F, T, TV ;; % P register % 

let srcdst (rfc, dfc, rfsel, dfsel) = 
"(~(rf rfsel) , "(df dfsel), 

"((rfc = m_rf) => TI"F M ), 
"((dfc = m_df) => M T” I "F") ) M ; ; 


7 . 

let none = 0 ; ; 

let data = 1 ; ; 

let res = 2 ; ; 

let both * 3 ; ; 

let enable (x) = 

(x = none) => n (F, F) M I 
(x = data) => "(T, FV I 
(x = res) => "(F, TV I 

M (T, T) M ;; 


% 

let p = 0; ; 

let m = 0 ; ; 

let ins = 1 ; ; 


FV I 


■% 
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let one = 1 ; ; 


let addr = 2 ; ; 

let whichm x = 

(x = m) => M (F, F) M | 

(x * one) => M (F, T) M | 

(x = addr) => f, (T, F) n | 

M (T , T)”;; 

let select (addrout, datain, mout) = 

" (" ( (addrout = addr) => M T” | M F"), 
"((datain * ins) => "T" I "F M ) , 

" (whichm mout ) ) " ; ; 



File: 


def .uinst .ml 


Description: Defines the microinstructions and microrom for the 

micro — level. 

Modifications by ETS 

Include new wait, WO.PC.WRITE and CK_VALID_PC, N0_0VL microinstructions. 
Replaced SHLS_u3_mc with ND.OVL fby CK_VALIDJ>C 
Logical operations’ semantics now stop on write to pc 
Reorganized microcode slightly 

NCLPC.tfRITE changed to AXY_WRITE (i/o space and memory also invalid) 

1 

set_search_path (search_path() 0 lib_dir_list) ; ; 

system ‘ /bin/rm uinst . th‘ ; ; 

loadf ‘ucode_aux ‘ ; 

new_theory *uinst‘;; 


% 

If you change these addresses, change the list in ucode_aux.ini 

as well. 

let wait.O ■ " (T »T , F , F ,T >F ,T) " ; ; is not in ucode.aux.ml 



1 

Definition of labels in microcode 

7. 


let X7 = " (F , F , F , F , F, F , F) M ; ; 
let fetch * "(F,F,F,F,F,F,F) M ; ; 
let noop * M (F,F,F,F,T,T,F) M ; ; 
let shrsl = " (F,F,F,T,T,T, F) M ; ; 
let shrbl = M (F,F,T,F,F,F,T) n ; ; 
let shlbl = M (F,F,T,F,T,F,F) M ; ; 
let mfO = " (F,F,T,F,T,T,T) " ; ; 
let mf 01 = n (F,T,F,F,F,F,F) M ; ; 
let mf 11 = " (F,T,F»F t F,T ,F) ; 


let mf 21 = M (F,T,F ,F,T,F ,T) ; 

let base = M (F,T , F, F,T,T,F) " ; ; 
let comparel = "(F,T,T\T,F,T,T)" ; ; 
let writememl = " (F,T ,T ,T,T,F ,T) ; 
let writeiol = " (F ,T r T,T ,T ,T,T) M ; ; 
let negl = M (T >F , F , F, F , F ,T) ” ; ; 
let calll = M (T, F, F , F »T , F,F)" ; ; 
let readiol = " (T,F, F,T,F, F,F)" ; ; 
let readmeml = " (T , F , F,T ,T, F, F) 11 ; ; 
let addbl = M (T,F,F,T,T\T,T) n ; ; 
let addsl = " (T,F»T,F,F,F,T) M ; ; 
let subbl = " (T,F f T , F ,T, F,T) M ; ; 
let subsl = " (T,F,T,F,T,T,T) M ; ; 
let xorl = ”<T,F,T,T,F,T,T)“; ; 
let andl * ,, (T > F,T,T,T,F,T)“; ; 
let norl = M (T,F,1\T,T,T,T)"; ; 
let wait.O * " (T,T ,F ,F,T,F,T) " ; ; 
let wait.l = " (T,T,F ,F,T,F ,F) " ; ; 
let wait. 2 = " (T,T,F,F,F,T,T) ; 
let wait_3 = M (T,T ,F, F, F ,T , F) 11 ; ; 
let wait. 4 = "(T,T,F,F,F,F,T)"; ; 


% added by ETS % 

let AXY.WRITE.mc = new.def inition 
( ‘ AXY_URITE_mc ‘ , 

"AXY.WRITE.mc = 

CX7, * (seq_alu_ctl (stop.pcurite , idle)), * (dec.ctl(inhibit) ) , 
' (mem(idle) ) , ' (srcdst (X,X,X,X) ) , ' (enable (none)) , 
-(select(X, X, X)))" 

);; 
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let CK.VALID_PC.mc = new.def inition 
( 4 CK.VALID.PC.mc * , 

"CK.VALID.PC.mc = 

(~X7, * (seq.alu.ctl (stop.ill.pdest , idle)), * (dec.ctl (inhibit )) , 
“ (mem(idle) ) , “(srcdst (X,X,X,X)) , " (enable (none) ) , 

* (select (X, X, X))) M 

);; 

let NO.OVL.mc = new.def inition 
(‘NO.OVL.mc 4 , 

"NO.OVL.mc = 

(“X7, " (seq.alu.ctl (stop.ovl , idle)), “ (dec.ctl (inhibit )) , 

" (mem(idle) ) , ~ (srcdst (X,X,X,X)) , * (enable (none) ) , 

“ (select (X , X, X))) M 


7. old stuff % 

let FETCH.ul.mc = new.def inition 
( * FETCH.ul.mc ‘ , 

"FETCH.ul.mc = 

(~X7, * (seq_alu.ctl(idle , idle)), “ (dec.ctl (inhibit) ) , 

" (mem(rmem) ) , " (srcdst (X ,X ,X ,X) ) , ~ (enable (none)) , " (select (p,X,X) )) " 

let FETCH.u2_mc = new_def inition 
( 4 FETCH _u2_mc 4 , 

"FETCH.u2.mc = 

( ~X7 , “(seq.alu.ctl (idle, add)), * (dec.ctl (inhibit )) , * (mem (idle) ) , 

* (srcdst (m_rf ,m_df ,regP ,regP) ) , " (enable (res) ) , ~(select(X, X, one)))" 

);; 

let FETCH_u3_mc = new.def inition 
( ‘ FETCH_u3_mc ‘ , 

" FETCH. u3_mc = 

(~X7, ** (seq.alu.ctl (stop. ill. addr, idle)), " (dec. ctl (inhibit )) , 

* (mem(idle) ) , "(srcdst (X, X,X, X)) , " (enable (none) ) , 

~ (select (X, X, X)))" 

);; 

let FETCH. u4_mc = new.def inition 
( 4 FETCH_u4_mc 1 , 

M FETCH. u4_mc = 

(“X7 , " (seq.alu.ctl (idle , idle)), " (dec.ctl(inhibit) ) , “ (mem (idle) ) , 

" (srcdst (X ,X ,X, X)) , " (enable (data) ) , "(select(X, ins, X)))" 
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);; 

let JMP_reqm_mc = new_def init ion 
( ‘ JMP_reqm_mc * , 

M JMP_reqm_mc = 

(“mfO, “ (seq„alu_ctl(mjmp, idle)), “ (dec^ctl Callow) ) , 

~ (mem ( idle) ) , “ (srcdst (X,X ,X,X)) , * (enable(none)) , “(select(X, X, X)))“ 

);; 

let JMP_opc_mc * new.def inition 
(‘ JMP_opc_mc‘ , 

" JMP_opc_mc = 

(“noop, “ (seq_alu_ctl(opcjmp, idle)), “ (dec_ctl( inhibit) ) , 

* (mem (idle) ) , “ (srcdst (X ,X ,X ,X) ) , * (enable(none) ) , “(select(X, X, X))) n 

);; 

let NOOP.mc = new.def inition 
( ‘NOOP.mc ‘ , 

"N00P_mc = 

(“fetch, “(seq_alu_ctl(jmp, idle)), “ (dec. ctl (inhibit )) , 

“(mem(idle)) , “ (srcdst(X,X,X,X) ) , “ (enable (none) ) , “(select(X, X, X))) M 

);; 

let SHRS_ul_mc = new.def inition 
( ( SHRS_ul_mc * , 

"SHRS_ul_mc = 

(“shrsl, “ (seq_alu_ctl(jmp, idle)), * (dec_ctl (inhibit )) , 

“ (mem (idle)) , “(srcdst (X, X, X, X)) , “ (enable(none) ) , “(select(X, X, X))) M 

);; 

let SHRB_ul_mc * new_def inition 
( * SHRB_ul_mc ‘ , 
n SHRB.ul_mc = 

(“shrbl, “ (seq.alu.ctl ( jmp , idle)), “ (dec.ctl (inhibit )) , 

“ (mem(idle) ) , “(srcdst(X,X,X,X)) , “ (enable(none)) , “(select(X, X, X))) M 

);; 

let SHLS_ul_mc = new_def inition 
(‘SHLS_ul_mc‘ , 

"SHLS_ul_mc = 

(“X7, “ (seq_alu_ctl (idle , shl_s)), * (dec.ctl(inhibit) ) , “ (mem(idle) ) , 

“ (srcdst (inst_rf ,inst_df ,X,X)) , ** (enable (res) ) , “ (select (X, X, X)))" 

); ; 


let SHLB_ul_mc = new.def inition 
( £ SHLB_ul_mc ‘ , 

"SHLB.ul.mc = 
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(~shlbl, “ (seq_alu_ctl(jmp, idle)), “ (dec.ctl (inhibit )) , 

- (mem (idle) ) , " (srcdst (X,X,X,X)) , * (enable (none)) , ~(select(X, X, X))) 

);; 


let SHLB_u2_mc = neu.del inition 
( 4 SHLB_u2_mc ‘ , 

M SHLB_u2_mc = 

(~X7, * (seq_alu_ctl (idle , shl_b))» * (dec _ctl( inhibit) ) » 

* (mem(idle) ) , 

- (srcdst (inst_rf,inst_df,X.X)), ' (enable (res)) , -(select(X. X, X))) 


let SHRS_u2_mc = new.def inition 
( < SHRS_u2_mc t , 

"SHRS_u2_mc = 

CX7, ' (seq_alu_ctl (idle , shr.s)), * (dec.ctl (inhibit) ) , “ (mem(idle) ) , 

* (srcdst (inst.rf ,inst_df ,X,X)) , * (enable (res)) , -(select(X, X, X)))" 

);; 

let SHRB_u2_mc = new.def inition 
(‘ SHRB_u2_mc‘ , 

"SHRB_u2_mc = 

(*X7. -(seq_alu.ctl(idle, shr_b)) , * (dec_ctl( inhibit) ) , * (mem(idle) ) , 

- (srcdst (inst.rf, inst.df ,X,X)> . * (enable (res)) , -(select(X, X, X)))" 

);; 

let MF0_ul_mc = new.def inition 
(‘MF0_ul_mc‘ , 

M MF0_ul_mc « 

(“mfOl, ~(seq_alu_ctl(jmp, idle)), ~ (dec_ctl (inhibit) ) , 

- (mem ( idle) ) , ' (srcdst (X ,X ,X ,X) ) , " (enable (none)) , '(select(X, X, X)))" 

);; 

let MFl_ul_mc = nen_def inition 
( ‘MFl_ul_mc ‘ , 

"MFl.ul.ac = 

Cmfll, ' (seq_alu_ctl ( jmp , idle)), ‘ (dec.ctl ( inhibit) ) , 

*(men (idle)) , * (srcdst (X,X ,X,X) ) , * (enable (none)) , *(select(X, X, X)))' 

);; 

let MF2_ul_mc = new.def inition 
(‘MF2_ul_mc‘ , 

"MF2_ul_mc = 

(~mf21, " (seq_alu_ctl ( jmp , idle)), " (dec.ctl (inhibit )) , 

-(mem (idle)) , * (srcdst (X.X ,X,X) ) , ‘ (enable (none)) , ~(select(X, X, X))) 

);; 
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let MF3_ul_mc * new_def inition 
(‘MF3_ul_mc‘, 

M MF3_ul_mc = 

(“X7, “ (seq_alu_ctl (idle , mthro)), * (dec.ctl (inhibit )) , ~ (mem(idle) ) , 

~ (srcdst (X ,m_df , X , regM) ) , ~ (enable (res) ) , “(s«lect(X, X, addr))) M 

); ; 

let MF3_u2_mc = new_defin.it ion 
( < MF3_u2_mc ‘ , 
n MF3_u2_mc = 

CX7, ‘ (seq.alu.ctl (idle , add)), * (dec.ctl (inhibit) ) , ‘(mem(idle)) , 

" (srcdst (m_rf ,m_df ,regY .regADDR)) , ‘(enable (res)) , ‘(select(X, X, m)))" 

let MF3_u4_mc = new_def inition 
(‘MF3_u4_mc\ 
n MF3_u4_mc = 

CX7, ‘ (seq_alu_ctl (idle , idle)), * (dec_ctl(inhibit) ) , 

‘ (mem(rmem) ) , ‘ (srcdst (X,X ,X ,X) ) , ‘ (enable(none)) , * (select (addr, X, X))) M 

);; 

let MF3_u5_mc = new_def inition 
( ‘ MF3.u5_mc ‘ , 

M MF3_u5_mc = 

CX7, ‘ (seq_alu_ctl (idle , idle)), ‘ (dec^ctl (inhibit) ) , 

* (mem(idle) ) , ‘ (srcdst (X , X ,X ,X) ) , ‘ (enable(data)) , ‘(select(X, m, X)))" 

);; 

let MF3_u6_mc = new_def inition 
(‘MF3_u6_mc‘, 

"MF3_u6_mc = 

(‘base , ‘ (seq.alu.ctl (opc jmp , idle) ) , * (dec.ctl (inhibit) ) , 

‘(mem (idle)), * (srcdst (X,X ,X ,X) ) , ‘ (enable(none)) , ‘(select(X, X, X))>" 

);; 


let MF2_u3_mc = new_def inition 
( ‘MF2_u3_mc * , 

M MF2_u3_mc = 

(‘X7, ‘(seq.alu.ctl (idle, add)), ‘ (dec.ctl(inhibit)) , ‘(mem(idle)) , 
‘(srcdst (m.rf ,m_df ,regX,regADDR) ) , ‘ (enable (res)) , ‘(select(X, X, m)))" 

);; 

let COMPAHE_ul_mc = new_def inition 
( ‘ CQMPARE_ul_mc ‘ , 
n COMPARE.u 1 _mc = 

(‘ compare 1 , ‘ (seq.alu.ctl (jmp, idle) ) , ‘ (dec.ctl (inhibit)) , 


-(mem (idle)), ‘(srcdst(X,X,X,X)) , * (enable (none)) , '(select(X, X, X)))" 

);; 

let WRITEMEM_ul_mc = new_def inition 
( 1 WRITEMEM_ul_mc ‘ , 

” WRITEMEM_ul_mc = 

(~writememl,~ (seq_alu_ctl( jmp , idle) ) ," (dec.ctl (inhibit) ) , 

"(mem (idle)) , -(srcdst(X,X,X,X)) , * (enable (none)) , -(select(X, X, X)))" 

);; 

let WRITEIO.ul.mc = nen.def inition 
( ‘ URITEIO.ul.mc ‘ , 

"WRITEIO.ul.mc = 

(-yriteiol , * (seq_alu_ctl (jmp, idle) ) , " (dec_ctl( inhibit) ) , 

* (mem (idle) ) , * (srcdst (X,X ,X,X) ) , * (enable(none)) , '(select(X, X, X)))" 

);; 

let NEG_ul_mc = new.def inition 
(‘NEG_ul_mc‘ , 
r, NEG_ul_mc = 

("negl , ' (seq_alu_ctl(jmp, idle)), “ (dec.ctl (inhibit) ) , 

“ (mem ( idle ) ) , * (srcdst(X,X,X,X)) , * (enable (none)) , *(select(X, X, X)))" 

);; 

let CALL_ul_mc ■ nes.def inition 
< < CALL_ul_mc ‘ , 

M CALL_ul_mc = 

(“calll, "(seq.alu.ctKjmp, idle)), " (dec.ctl (inhibit)) , 

" (mem(idle) ) , * (srcdst (X ,X ,X ,X) ) . * (enable(none)) , *(select(X, X, X)))" 

);; 

let READIO_ul_mc = nen.def inition 
( ‘ READIO_ul_mc ‘ , 

"READIO.ul.mc = 

("readiol,"(seq_alu_ctl(jmp, idle)), " (dec_ctl(inhibit)) , 

"(mem(idle)) , * (srcdst (X,X,X,X) ) , * (enable (none)) , '(select(X, X, X)))" 

let READMEM.ul.mc = nen.def inition 
( ‘READMEM_ul_mc ‘ , 

"READMEM.ul.mc = 

(“readmeml , * (seq.alu.ctl ( jmp, idle)) , * (dec.ctl(inhibit) ) , 

- (mem (idle)) , ' (srcdst (X.X ,X ,X) ) , * (enable (none)) , *(select(X, X, X))) M 

);; 

let ADDB.ul.mc = nen.def inition 
(‘ADDB.ul.mc* , 

"ADDB.ul.mc = 
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("addbl , ~ (seq_alu_ctl ( jmp , idle)), * (dec.ctl (inhibit)) , 

" (mem (idle) ) , - (srcdst (X,X ,X ,X) ) , * (enable(none) ) , -(selectU, X, X)))" 

);; 

let ADDS_ul_mc = ne?_def inition 
(‘ADDS.ul.mc* , 

"ADDS.ul.mc = 

('addsl, “ (seq_alu_ctl ( jmp , idle)), “ (dec. ctl (inhibit )) , 

“ (mem(idle) ) , “ (srcdst (X,X ,X,X) ) , * (enable(none) ) , “(select(X, X, X)))" 

);; 

let SUBB_ul_mc = new_def inition 
( < SUBB_ul.mc‘ , 

"SUBB_ul_mc = 

( subbl, “ (seq_alu_ctl(jmp , idle)), " (dec_ctl (inhibit )) , 

'(mem (idle)) , “ (srcdst (X,X ,X ,X) ) , - (enable(none)) , “(select(X, X, X))) M 

);; 

let SUBS_ul_mc = new_def inition 
(‘SUBS.ul.mc* , 
n SUBS_ul_mc = 

("subsl, ~ (seq_alu_ctl(jmp, idle)), “ (dec.ctl (inhibit )) , 

“(mem(idle) ) , * (srcdst (X,X ,X,X)) , * (enable(none)) , ~(select(X, X, X))) M 

);; 

let X0R_ul_mc = new_def inition 
( 4 X0R_ul_mc 1 , 

"X0R_ul_mc = 

("xorl, “ (seq_alu_ctl ( jmp, idle)), " (dec.ctl (inhibit )) , 

~ (mem (idle) ) , * (srcdst (X , X , X ,X) ) , ‘ (enable(none) ) , " (select (X, X, X)))” 

);; 

let AND_ul_mc = new.def inition 
( < AND_ul_mc ‘ , 

M AND_ul_mc = 

( andl , (seq_alu_ctl ( jmp , idle)), " (dec_ctl (inhibit )) , 

'(mem(idle)) , " (srcdst (X,X ,X ,X) ) , “ (enable(none) ) , * (select (X, X, X))) n 

); ; 

let N0R_ul_mc = new. definition 
(‘N0R_ul_mc‘, 

M NOR_ul_mc = 

( norl, " (seq_alu_ctl ( jmp , idle)), ~ (dec_ctl (inhibit )) , 

(mem(idle)), (srcdst (X,X ,X ,X) ) , " (enable (none) ) , “(select(X, X, X))) n 

);; 

let ANDMBAR_ul_mc = new_def inition 
( 4 ANDMBAR_ul_mc ‘ , 



"ANDKBAR.ul.mc = 

CX7, '(seq_alu_ctl(stop_pcwrite, and_not)), ' (dec.ctl (inhibit) ) , (mem(idle) ) , 
" (srcdst (inst_rf ,inst_df ,X ,X) ) , ' (enable(res)) , (select(X, X, m))) 

);; 

let C0MPARE_u2_mc = nee.def inition 
( ‘ C0MPARE_u2_mc ‘ , 

" COMPARE_u2_mc = 

("X7, '(s«q_alu_ctl(idle, compare)), “(dec_ctl(inhibit)) , "(mem(idle)) , 

* (srcdst (inst_rf ,X,X,X) ) , * (enable(none)) , '(select(X, X, a)))" 

);; 

let WRITEMEM_u2_mc = new.def inition 
<‘WRITEMEM_u2_mc < , 

"WRITEMEM_u2_mc = 

CX7, ’ (seq_alu_ctl (idle , idle)), * (dec.ctl(inhibit) ) , ‘ (mem(omem) ) , 

" (srcdst (ins t_rf ,X ,X ,X) ) , * (enable (none)) , * (select (addr , X, X)))" 

);; 

let WRITEI0_u2_mc = new.def inition 
( ‘ WRITEI0_u2_mc ‘ , 

"WRITEI0_u2_mc = 

(*X7 , " (seq_alu_ctl (idle , idle)), " (dec.ctl (inhibit) ) , * (mem(oio) ) , 

* (srcdst (inst.rf ,X,X,X)), * (enable (none)) , '(select (addr, X, X)))" 

);; 

let HEGATE_u2_mc = neo.def inition 
( ‘ NEG ATE_u2_mc ‘ , 

"NEGATE_u2_mc = 

CX7, ' (seq_alu_ctl (idle , negate)), ' (dec_ctl(inhibit) ) , (mem(idle)), 

' (srcdst (X , inst.df ,X , X) ) , ' (enable(res) ) , '(select(X, X, ■)))" 

);; 

let CALL_u2_mc = neo.def inition 
( ‘ CALL_u2_mc ‘ , 

”CALL_u2_mc = 

("X7, “ (seq_alu_ctl (idle , rthro)), ' (dec_ctl( inhibit) ) , (mem(idle) ) , 

' (srcdst (m_rf ,m_df .regP.regY)) , * (enable(res)) , '(select(X, X, X)))“ 

);; 

let CALL_u3_mc = nen.def inition 
( 1 CALL_u3_mc ‘ , 

"CALL_u3_mc = 

('X7, ' (seq_alu_ctl(idle, nthro)), * (dec.ctl (inhibit)), ‘(mem(idle)) , 

* (srcdst (X ,m_df ,X, regP) ) , ' (enable(res) ) , (select(X, X, a))) 

);; 

let READI0_u2_mc = neo_def inition 
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( ‘ READI0_u2_mc < , 

"READIQ_u2_mc = 

(~X7, “ (seq_alu_ctl (idle , idle)), “ (dec_ctl(inhibit) ) , 

“(mem(rio)) , “ (srcdst (X ,X , X , X) ) , * (enable (none) ) , “ (select (addr, X, X))) M 

);; 

let READI0_u4_mc = new.def inition 
(‘READI0_u4_mc‘ , 

M READI0 w u4_mc = 

(~X7, “(seq_alu_ctl(stop_pcurite, mthro)), 

* (dec_ctl ( inhibit ) ) , “ (mem(idle)) , 

“(srcdst (X,inst_d:f ,X ,X) ) , “ (enable (res) ) , “(select(X, X, m)))" 

);; 

let READMEM_u2_mc = new_def init ion 
( * READMEM_u2_mc * , 

"READMEM_u2_mc = 

(*X7, " (seq_alu_ctl (idle , mthro)), “ (dec. ctl (inhibit )) , " (mem(idle) ) , 

“ (srcdst (X , inst.df ,X ,X) ) , “(enable(res) ) , “(select(X, X, m))) M 

); ; 

let ADDB_u2_mc = new_def inition 
( 4 ADDB_u2_mc ‘ , 

"ADDB_u2_mc = 

(“X7, “ (seq_alu_ctl (stop_pcwrite , add.bcarry) ) , 

* (dec_ctl( inhibit) ) , “ (mem (idle) ) , 

“ (srcdst (inst.rf , inst.df ,X ,X) ) , “ (enable (res) ) , “(select(X, X, m)))" 

); ; 


let ADDS_u2_mc = new_def inition 
( 1 ADDS_u2_mc * , 

M ADDS_u2_mc = 

(“X7, “ (seq_alu_ctl (idle , add)), “ (dec_ctl (inhibit) ) , “ (mem(idle) ) , 

“ (srcdst (ins t_rf , inst.df , X ,X) ) , “ (enable(res)) , "(selectCX, X, m))) n 

);; 

let SUBB_u2_mc = new_def inition 
( 1 SUBB_u2_mc ‘ , 

M SUBB_u2_mc = 

(“X7, “ (seq_alu_ctl (stop.pcwrite , sub.bcarry) ) , 

“ (dec_ctl (inhibit) ) , * (mem (idle) ) , 

“ (srcdst (inst.rf , inst.df ,X,X) ) , “ (enable(res) ) , “(select(X, X, m))) M 

);; 

let SUBS_u2_mc = new_def inition 
( ‘ SUBS_u2_mc * , 

M SUBS_u2_mc = 
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(~X7, " (seq.alu.ctl (idle , sub)), * (dec.ctl (inhibit)) , ~ (mem(idle) ) , 

“ (srcdst (inst.rf , inst_df ,X ,X) ) , * (enable (res) ) , (select(X, X, m)))' 

);; 

let X0R.u2.mc = new.def init ion 
( ‘ X0R_u2.mc ‘ » 
n X0R_u2_mc = 

(“X7, “ (seq.alu.ctl (stop.pcwrite, xor)), 

~ (dec.ctl (inhibit) ) , “ (mem(idle) ) , 

~ (srcdst (inst.rf , inst.df ,X ,X) ) , “ (enable (res) ) , ~(select(X, X, m))) M 

);; 

let AND_u2_mc = new.def init ion 
( £ AND.u2_mc ‘ , 

"AND.u2.mc = 

(~X7, “ (seq.alu.ctl (stop.pcwrite , and)), ~ (dec. ctl (inhibit )) , ~(mem(idle)) 
* (srcdst (inst.rf , inst.df ,X ,X) ) , " (enable(res) ) , “(selectCX, X, m))) M 

);; 

let N0R_u2_mc = new.def init ion 
( * N0R_u2_mc ‘ , 

"N0R.u2.mc = 

( “X7 , “ (seq.alu.ctl (stop.pcwrit e , nor) ) , * (dec. ctl (inhibit )) , "(mem(idle)) 
* (srcdst (inst.rf , inst.df ,X , X) ) , “ (enable (res) ) , (select(X, X, m))) 

);; 




The following were added to pad out fetches so that 

the synchronous interpreter model could be used 

% 


let MF3_u6wl_mc » new.def inition 
( * MF3_u6wl.mc ‘ , 

M MF3.u6wl_mc = 

(“wait.O , * (seq.alu.ctl ( jmp , idle)), (dec.ctl(inhibit) ) , (mem(idle)), 

~ (srcdst (X ,X ,X,X) ) , " (enable(none) ) > ~(select(X, X, X)))" 

);; 

let MF3.ulw4_mc = new.def inition 
( ‘MF3_ulw4_mc * , 

"MF3_u1w4.uk: = 

( “wait_4 , " (seq.alu.ctl (jmp , mthro)), “ (dec. ctl (inhibit) ) , " (mem(idle) ) , 

~ (srcdst (X ,m.df , X, regM) ) , " (enable(res) ) , (select (X, X, addr))) 

);; 

let MF3.u5w3_mc = new.def inition 
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( ‘MF3_u5w3_mc ‘ , 

"MF3_u5w3_mc = 

Owait_3, " (seq_alu_ctl( jmp , idle)), * (dec_ctl(inhibit) ) , 

‘ (men (idle) ) , ‘ (srcdst (X,X,X,X) ) , * (enable (data) ) , '(selectCX, m, X)))" 

);; 

let WAIT.mc = new.def inition 
( < WAIT.mc ‘ , 

"WAIT.mc = 

(“X7, " (seq.alu.ctl (idle , idle)), “ (dec.ctl(inhibit) ) , 

“(mea(idle)) , “ (srcdst (X,X ,X ,X) ) , “ (enable(none)) , “(select(X, X, X))) M 

);; 




This list must contain the microinstructions that implement the 
behavior in the definition micro_inst_list defined in def .micro .ml . 



let micro.rom = new. definition 
( ‘micro.rom* , 

" !n . micro. rom n = 

EL n 

[FETCH.ul.mc ; 

FETCH. u2_mc ; 

FETCH.u3.mc ; 

FETCH.u4_mc ; 

JMP.reqm.mc ; 

JMP.opc.mc ; 

NOOP.mc ; 

SHRS.ul.mc ; 

SHRB.ul.mc ; 

SHLB.ul.mc ; 

AXY. WRITE. me ; 

SHLS.ul.mc ; 

N0.0VL.mc ; 

NOOP.mc ; 

AXY.WRITE.mc ; 

SHRS_u2_mc ; 

NOOP.mc ; 

AXY.WRITE.mc; 

SHRB_u2_mc ; 

NOOP.mc; 

AXY.WRITE.mc; 

SHLB.u2.mc ; 

NOOP.mc; 

HFO.ul.mc ; 

MFl.ul.mc ; 
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MF2_ul.mc; 
MF3.ul.nc; 
MF3_u2_mc ; 
F£TCH_u3_mc; 
MF3_u4_mc ; 
MF3.u5_mc ; 
MF3.u6wl_mc ; 
MF3.ulH4.mc ; 
MF3.u6.mc ; 
MF3_u4_mc; 
MF3.u5w3_mc ; 
MF3.u6.mc ; 
MF3.ul.mc ; 
MF2_u3_mc ; 
FETCH_u3.mc ; 
MF3.u4_mc; 
MF3_u5_mc; 
MF3_u6.mc ; 
COMPARE.ul.mc ; 
WRITEMEM.ul.mc; 
WRITEIO.ul.mc ; 
NEG.ul.mc ; 
CALL.ul.mc ; 
READIO.ul.mc ; 
READMEM.ul.mc; 
ADDB.ul.mc ; 
ADDS.ul.mc ; 
SUBB.ul.mc ; 
SUBS.ul.mc; 
XOR.ul.mc ; 
AND.ul.mc ; 
NOR.ul.mc; 
ANDMBAR.ul.mc; 
NOOP.mc; 

COMP ARE. u2_mc ; 
NOOP.mc; 
WRITEMEM.u2_mc 
NOOP.mc ; 
WRITEIQ.u2_mc ; 
NOOP.mc; 
AXY.WRITE.mc ; 
NEGATE. u2.mc ; 
NOOP.mc; 
CALL.u2_mc; 
CALL.u3_mc ; 
FETCH_u3_mc ; 
NOOP.mc; 
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READI0_u2_mc ; 
MF3.u5_mc ; 
READI0_u4_mc ; 
NOOP.mc; 
READMEM_u2.mc; 
CK.VALID.PC.rac; 
NOOP.mc; 
ADDB_u2.mc; 
NOOP.mc ; 
ADDS_u2_mc; 
CK.VALID.PC.mc ; 
NO.OVL.mc; 
NOOP.mc; 
SUBB.u2_mc ; 
NOOP.mc; 
SUBS.u2_mc ; 
CK.VALID.PC.mc ; 
NO.OVL.mc ; 
NOOP.mc ; 
X0R_u2.mc; 
NOOP.mc; 
AND_u2_mc ; 
NOOP.mc; 
N0R_u2_mc ; 
NOOP.mc; 

WAIT.mc ; 

WAIT.mc ; 

WAIT.mc ; 

WAIT.mc; 

MF3_u6.mc ; 

NODP.mc ; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc ; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 
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NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc ; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc; 

NOOP.mc ; 

NOOP.mc] " 

save_thm( ‘micro.rom.expanded* , 

SUBS [FETCH.ul.mc ; FETCH_u2.mc; FETCH. u3_mc ; FETCH_u4.mc; JMP.reqm.mc ; 

JMP.opc.mc; NOOP.mc; SHRS.ul.mc; SHRB.ul.mc; SHLS.ul.mc; SHLB.ul.mc; 
SHRS_u2_mc; SHRB_u2_mc ; MFO.ul.mc; MF3_u6wl_mc ; 

MFl.ul.mc ; MF2_ul.mc; MF3_ul.mc; MF3.u2_mc; MF3_u4.mc; HF3.u5.mc; 
MF3_u6_mc ; MF2_u3_mc; COMPARE.ul.mc ; WRITEMEM.ul.mc ; WRITEIO.ul.mc ; 
NEG.ul.mc ; CALL.ul.mc; READIO.ul.mc ; READMEM.ul.mc ; ADDB.ul.mc; 
ADDS.ul.mc; SUBB.ul.mc; SUBS.ul.mc; XOR.ul.mc; AND.ul.mc; NOR.ul.mc; 
ANDMBAR.ul.mc ; C0MPARE_u2.mc; WRITEMEM_u2.mc; WRXTEI0.u2.mc ; 
NEGATE.u2.mc ; CALL.u2_mc; CALL_u3.mc; READI0.u2.mc ; READIO_u4.mc ; 
ADDB_u2_mc; ADDS_u2.mc; SUBB.u2.mc; SUBS.u2.mc; X0R.u2_mc; AND_u2_mc 
N0R_u2_mc ; MF3_ul\r4_mc; MF3_uSw3.mc ; VAIT.mc; CK_VALID.PC.mc; 
AXY.WRITE.mc ;NO.OVL_mc ; SHLB.u2_mc ; READMEM_u2_mc] 
micro. rom 

);; 

close.theory () ; ; 
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7 . 


File: def _micro . ml 

Description: Defines the behavioral description of the micro 

interpreter level 

Modified by Tony Leung to add wait states to memory fetches to patch 
up instruction micro cycles. 

Modified by ETS to include AXY_WR and CK_VAL_PC microinstructions 

x 

set_search,path (search_path( ) 0 lib_dir_list ) ; ; 

loadf ‘ abstract 4 ; ; 

system ‘ /bin/rm micro_def . th‘ ; ; 

new_theory ‘ micro.def ‘ ; 

map new_parent [ * tuple *; ‘aux_def‘; ^egs.def*; ‘ aux.thms { ; 

let rep_ty = abstract_type c aux_def‘ ‘opcode*;; 

let add_bt7 = new_def inition 
(‘add_bt7‘ , 

M ! x y . 
add_bt7 x y = 

bt7_ival ((bt7_val x) + y) M 

);; 

let FETCH, addr = M (F,F»F,F, F, F,F) n ; ; 
let NOOP.addr = " (F,F,F, F,T,T,F) M ; ; 
let SHRSl.addr = M (F,F,F,T,T,T,F)”; ; 
let SHRBl.addr = M (F,F,T,F,F > F,T) M ; ; 
let SHLBl,addr = " (F,F,T,F ,T, F,F) M ; ; 
let MFO.addr = " (F , F,T , F ,T ,T,T>" ; ; 
let MFOl.addr = " (F ,T, F ,F, F ,F ,F) " ; ; 
let MFll.addr = M (F,T,F,F,F,T,F) M ; ; 
let MF21_addr = M (F,T,F,F,T,F,T)"; ; 


let BASE_addr = " (F,T,F,F,T,T,F) M ; ; 


let COMPARE 1 .addr * " (F,T\T,T,F,T,T) 11 ; ; 


let WRITEMEM 1 _ addr = " (F >T ,T,T,T,F,T) " ; ; 
let WRITEIOl.addr = " (F ,T,T,T,T,T,T) " ; ; 
let NEGl.addr = " (T ,F,F, F»F,F,T)" ; ; 
let CALL 1 .addr = " (T , F , F ,F,T, F»F) '* ; ; 
let READIOl.addr = M (T,F»F,T,F,F,F) M ; ; 
let READMEMl.addr = M (T»F,F,T,T,F,F) M ; ; 
let ADDBl.addr = M (T,F,F,T,T,T,T) M ; ; 
let ADDS 1. addr * "(T,F,T,F,F,F,T) M ; ; 
let SUBBl.addr = " (T, F,T ,F,T»F,T) " ; ; 
let SUBS 1_ addr = " 0\F,T ,F,T,T,T) " ; ; 
let XORl.addr = " (T »F ,T,T, F,T,T) " ; ; 
let ANDl.addr = " (T , F,T ,T ,T ,F ,T) M ; ; 
let NORl.addr - ,l (T,F,T,T,T t T,T) M ; ; 
let wait.O.addr - M (T ,T , F , F ,T ,F ,T) M ; ; 
let wait_l_addr = " (T »T >F , F ,T ,F , F) M ; ; 
let wait_2_addr = ” (T,T, F , F,F,T,T) " ; ; 
let wait_3_addr * " (T,T, F,F,F,T,F) " ; ; 
let wait_4_addr - M (T ,T, F , F,F,F, T) " ; ; 


% 

Micro instruction 57 : ANDMBAR - destreg := r /\ m 



let ANDMBAR.ul = new.def inition 
( ‘ ANDMBAR.ul * , 

" ! (rep : *rep_ty) (regs : (*wordn) list) (m ins din dout:*oordn) (ram: ‘memory) 
(b stop ovl:bool) (mar : ‘address) (res:‘wordn) (mpc:bt7) 

(reset :bool) . 

ANDMBAR.ul rep (regs ins , din, dout , ram ,b , stop , ovl ,mar , res ,mpc) (reset) = 
let new. stop - ( (DSF rep ins = (F,T ,T) ) \/ 

(DSF rep ins * (T,F,F)> \/ 
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(DSF rep ins = (T,F,T) ) \/ 

(DSF rep ins = (T,T,F) ) \/ • 

(DSF rep ins = (T,T,T) ) ) in 

let randmbar = band rep ((EL (bt2_val(RSF rep ins)) regs),bnot rep m) in 
stop => (regs , 111 , ins , din, dout ,ram,b,T,ovl , mar, res , ~FETCH_addr) | 

( (neu.stop => regs I update.reg regs (DSF rep ins) b randmbar), 
m, ins, din, dout , ram, b, new.stop, 

(new_stop => ovl | F) , mar, 

(new.stop «> res I randmbar) , 

(new. stop => (F,F,F,F,F,F,F) | add.bt7 mpc 1) )" 

7 . 

(update_reg regs (DSF rep ins) b randmbar ,m, ins , din, dout, ram, 
b, new. stop, F, mar, randmbar, add_bt7 mpc 1) M 

% 

);; 

save_thm( ‘ ANDMBAR.ul * ,EXPAND_LET_RULE ANDMBAR.ul) ; ; 


X 

Micro instruction 0: get instn from mem [pc] ‘ 

y 

let FETCH.ul = new.def init ion 

( * FETCH.ul _def ‘ , 

M • (rep : “rep.ty ) (regs : (*wordn) list) (m ins din dout : *wordn) (ram : *memory) 
(b stop ovlrbool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

FETCH.ul rep (regs ,m, ins, din, dout , ram, b, stop, ovl , mar , res, mpc) (reset) = 
let paddr = address rep (EL p.reg regs) in 

stop => (r egs, m, ins, din, dout, ram, b,T, ovl, mar, res, ‘'FETCH.addr) I 

(regs, m, ins, fetch rep (ram, paddr), dout, ram, b, F, F, 
paddr, m, add_bt7 mpc 1) " 

); ; 

save.thm( ‘ FETCH.ul ‘ , EXPAND. LET_RUL£ FETCH.ul) ;; 

X 

Micro instruction 1: increment p 



let FETCH_u2 = new_def inition 

(* FETCH.u2_def ‘ , 

” ! (rep: “rep.ty) (regs : (*wordn) list) (m ins din dout : ♦wordn) (ram: ^memory) 
(b stop ovlrbool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

FETCH_u2 rep (regs ,m , ins ,din , dout , ram ,b , stop , ovl ,mar , res , mpc) (reset) = 
let newp = add rep ((EL p.reg regs), (wordn rep 1)) in 
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stop *> (regs ,m, ins ,din,dout ,ram,b,T,ovl,mar,res,"FETCH_addr) I 

(update.reg regs (F,T,T) b newp, m, ins, din, dout, ram, b, 

F, aovfl rep ((EL p.reg regs), (wordn rep 1), newp), 
mar, newp, add_bt7 mpc 1) " 

); ; 

save.thm ( * FETCH_u2 4 , EXPAND. LET.RULE FETCH_u2) ; ; 

% 

Micro instruction 2: check il (p+1) is valid 

7 . 

let FETCH.u3 = new.def inition 
(‘ FETCH.u3.def ‘ , 

M ! (rep: “rep.ty) (regs : (♦wordn) list ) (m ins din dout : *wordn) (ram: *memory) 
(b stop ovl : bool ) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

FETCH.u3 rep (regs,m, ins , din, dout , ram, b, stop, ovl , mar, res, mpc) (reset) = 
let new.stop = ~ (valid.address rep res) in 

stop => (regs ,m, ins , din, dout , ram, b,T, ovl , mar, res , "FETCH.addr) I 
(regs, m, ins, din, dout, ram, b, new. stop, 

(new.stop *> ovl I F) , mar, (new.stop *> res I m) , 

(new.stop => (F , F , F , F , F , F, F) I (add.bt7 mpc 1)))" 

>55 

save.thm ( * FETCH_u3 1 , EXPAND.LET.RULE FETCH.u3) ; ; 


Micro instruction 3: read instruction into ins register 

7 , 

let FETCH_u4 = new.def inition 
( 1 FETCH.u4_def c , 

" | (rep: ~rep_ty) (regs : (♦wordn) list) (m ins din dout:*wordn) (ram: *memory) 
(b stop ovl : bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

FETCH. u4 rep (regs ,m, ins , din, dout , ram ,b , stop, ovl , mar , res , mpc) (reset) = 

stop => (regs , m , ins , din, dout , ram ,b ,T, ovl ,mar , res , "FETCH. addr) I 

(regs, m, din, dm, dout, ram, b, F, F, mar, m, add_bt7 mpc 1)" 

);; 

save.thm ( ‘ FETCH. u4 * , EXPAND.LET.RULE FETCH.u4);; 

7 . 

Micro instruction 4: jmp on reqm 

% 

let JMP. reqm = new.def inition 
(* JMP. reqm 1 , 
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"! (rep: ~rep_ty) (regs : (*wordn) list) (m ins din dout:*wordn) (ram: *memory) 
(b stop ovl : bool ) (mar : *address ) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

JMP_reqm rep (regs ,m, ins , din, dout t ram, b, stop, ovl , mar , res, mpc) (reset) = 
let ins.dec = (decode rep (opcode rep ins, b)) in 
let ne»_stop = 

(FST ins.dec \/ ( ( (FST(SND( ins.dec)) * (F,F,T,T,F)) \/ 
(FST(SND( ins.dec)) = (F,F,T,T,T)) ) 

/\ ( (MSF rep ins) = (F,F)) )) in 

stop => (regs , m , ins , din , dout , ram , b , T , ovl , mar , res , “ FETCH_addr ) I 
(regs, m, ins, din, dout, ram, b, new_stop, 

(new.stop => ovl | F) , mar, 

(new.stop => res I m) , 

(new. stop => (F,F,F,F,F,F,F) I 

SND (SND ins.dec) => add_bt7 ~MF0_addr (bt2_val(MSF rep ins)) I 
add_bt7 mpc 1)) M 

>;; 

save.thm ( ‘ JMP_reqm ‘ ,EXPAND_LET_RULE JMP.reqm) ; ; 



Micro instruction 5: jmp to (noop+opc) 

x 

let JMP_opc * new_def inition 
(‘JMP_opc‘ , 

" ! (rep: ~rep_ty ) (regs : (*wordn) list) (m ins din dout:*vordn) (ram: *memory) 

(b stop ovl : bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

JMP.opc rep (regs, m, ins, din , dout , ram, b, stop, ovl , mar , res, mpc) (reset) = 

stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, “FETCH_addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, add_bt7 
NQ0P_addr (bt5_val (FST (SND (decode rep (opcode rep ins,b)))))) M 

);; 

save.thm ( ‘ JMP_opc * , EXPAND_LET_RULE JMP^opc) ; ; 



Micro instruction 6: NOOP - goto fetch 

x 

let NOOP » new_def inition 
( ‘NOOP * , 

! (rep: rep_ty) (regs : (*wordn) list ) (m ins din dout:*wordn) (ram: ♦memory) 

(b stop ovl:bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

NOOP rep (regs, m, ins, din, dout, ram, b, stop, ovl, mar, res, mpc) (reset) = 



stop => (regs , m, ins , din, dout , ram , b , T , ovl ,mar ,res , “FETCH_addr) 1 

(regs, m , ins , din, dout, ram, b, F, F, mar, m, FETCH_addr )' 

);; 

save_thm( * NOOF * , EXP AND _ LET _ RULE NOOP); ; 



Micro instruction 7: SHRS - goto shrsl 



let SHRS.ul = new.def ini t ion 
( ‘ SHRS_ul 1 , 

M ! (rep: ~rep_ty) (regs : (*wordn) list ) (m ins din dout : *wordn) (ram: *memory ) 
(b stop ovl :bool) (mar :*address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

SHRS_ul rep (regs ,m , ins , din , dout , ram, b, stop, ovl , mar , res ,mpc) (reset) = 
stop *=> (regs , m , ins , din, dout , ram ,b, T, ovl , mar , res , FETCH_addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, "SHRSl_addr )" 

);; 

save_thm( 1 SHRS_ul ‘ ,EXPAND_LET_RULE SHRS.ul); ; 


Micro instruction 8: SHRB - goto shrbl 



let SHRELul = new_def inition 
(‘SHRB.ul 4 , 

M ! (rep : ~rep_ty) (regs : (*wordn) list) (m ins din dout : *wordn) (ram : *memory) 
(b stop ovl : bool ) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

SHRB.ul rep (regs, m, ins, din, dout, ram, b, stop, ovl, mar, res, mpc) (reset) = 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, ‘FETCH. addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, "SHRBl.addr ) M 

);; 

save_thm(‘SHRB_ul 4 .EXPAND. LETJIULE SHRB.ul) ; ; 


Micro instruction 9: SHLB - goto shlbl 



let SHLB.ul = new.def inition 
(‘SHLB.ul* , 

M ! (rep: "rep.ty) (regs : (*wordn)list) (m ins din dout:*sordn) (ram: *memory) 
(b stop ovl :bool ) (mar :* addr ess) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

SHLB.ul rep (regs, m, ins, din, dout , ram, b, stop, ovl, mar, res, mpc) (reset) = 

stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, '’FETCH. addr) I 
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(regs, m, ins, din, dout , ram, b, F, F, mar, m, "SHLBl.addr )" 

);; 

save_thm( ‘SHLB.ul ‘ , EXPAND.LET.RULE SHLB.ul) ; ; 

X 

Micro instruction 10: AXY.WRITE - check if dest!= a,x or y 



let AXY.WRITE = new.def inition 
( ‘AXY.WRITE ‘ , 

" ! (rep : “rep.ty) (regs : (♦wordn) list) (m ins din dout : ♦wordn) (ram : ♦memory ) 
(b stop ovl : bool) (mar :♦ address ) (res: ♦wordn) (mpc:bt7) 

(reset : bool) . 

AXY.WRITE rep (regs , 10 , ms , din , dout , ram, b, stop , ovl t mar , res ,mpc) (reset ) = 
let new.stop = ( (DSF rep ins = (F ,T, T) ) \/ 

(DSF rep ins = (T,F,F) ) \/ 

(DSF rep ins = (T,F,T) ) \/ 

(DSF rep ins * (T,T, F) ) \/ 

(DSF rep ins = (T,T,T) ) ) in 

stop => (regs, m,ins,din, dout, ram, b,T, ovl ,mar ,res , ~FETCH_addr) I 
(regs, m, ins, dm, dout, ram, b, new.stop, 

(new.stop => ovl I F) , mar, 

(new. stop => res I m) , 

(new. stop => (F,F,F,F, F,F,F) I add.bt7 mpc 1)) " 

);; 

save_thm( ‘AXY.WRITE 1 , EXPAND. LET. RULE AXY. WRITE) ; ; 

7 . 

Micro instruction 11: SHLS - destreg := shifted value 

y 

let SHLS.ul = new. definition 

( ‘ SHLS.ul 4 , 

M ! (rep: ~rep_ty) (regs : (♦wordnHist) (m ins din dout: ♦wordn) (ram: ♦memory) 
(b stop ovl:bool) (mar : ♦address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

SHLS.ul rep (regs ,m , ins , din , dout ,ram,b, stop, ovl ,mar, res , mpc) (reset) = 
let sval = shl rep (EL (bt2_val(RSF rep ins)) regs) in 

stop => (regs ,m, ins, din, dout, ram, b,T, ovl, mar, res, "FETCH.addr) I 

(update.reg regs (DSF rep ins) b sval, m, ins, din, dout, ram, b, 
F, bitn rep (EL (bt2_val(R$F rep ins)) regs), mar, sval, 

add_bt7 mpc 1)" 

);; 

save_thm(‘ SHLS.ul 1 , EXPAND.LET.RULE SHLS.ul); ; 
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% 

Micro instruction 12: MO.OVL 

% 


let NO.OVL = new_def inition 
( t N0_0VL‘ f 

" ! (rep: "rep.ty) (regs : (*wordn) list ) (m ins din dout : ♦wordn) (ram : ♦memory) 
(b stop ovlibool) (mar : ♦address) (res:+vordn) (mpc:bt7) 

(reset :bool) . 

N0_0VL rep (regs ,m, ins ,din ,dout , ram ,b .stop ,ovl , mar , res, mpc) (reset ) * 
let new.stop = ( ovl ) in'/. 

stop -> (regs ,m, ins , din, dout , ram ,b, T, ovl , mar, res , "FETCH. addr) I 
(regs, m, ins, din, dout, ram, b, ovl, ovl, mar, 

(ovl => res I m) , 

(ovl => (F,F,F,F,F,F,F) I add_bt7 mpc D) M 

);; 

save_thm( ‘NO_OVL‘ , EXPAND.LET.RULE N0_0VL) ; ; 

•/. 

Micro instruction 13: - goto fetch (NOOP) 

% 

7 , 

Micro instruction 14: AXY_WRITE 

% 


% 

Micro instruction 15: SHRS - destreg := shifted value 

% 

let SHRS_u2 = new_def inition 
( ‘ SHRS_u2‘ , 

” ! (rep: ~rep_ty) (regs : (♦wordn) list) (m ins din dout:*wordn) (ram: ♦memory ) 

(b stop ovl : bool) (mar : ♦address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

SHRS_u2 rep (regs ,m, ins, din, dout , ram, b, stop, ovl , mar ,res, mpc) (reset) = 
stop => (regs , m , ins , din , dout , ram ,b, T, ovl , mar , res , ~FETCH_addr) I 
(update.reg regs (DSF rep ins) b 

(shr rep (EL (bt2_val(RSF rep ins)) regs)), 
m, ins, din, dout, ram, b, F, F, 

mar, (shr rep (EL (bt2_val(RSF rep ins)) regs)), add_bt7 mpc 1)" 

); ; 

save_thm(‘SHRS_u2‘ , EXPAND. LETJIULE SHRS_u2) ; ; 
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% 

Micro instruction 16: - goto fetch (NOOP) 

y 

X 

Micro instruction 17: AXY.WRITE 

x 



Micro instruction 18: SHRB - destreg := shifted value 

y 

let SHRB_u2 = new.def inition 
( ‘ SHRB_u2 ‘ , 

" ! (rep: “rep.ty) (regs : (*wordn) 1 ist ) (m ins din dout:*wordn) (ram: *memory) 
(b stop ovl : bool ) (mar : *address ) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

SHRB_u2 rep (regs ,m, ins, din, dout ,ram,b, stop, ovl, mar, res, mpc) (reset) = 
let sval = shrb rep ((EL (bt2_val(RSF rep ins)) regs), b) in 

stop => (regs, m, ins, din, dout , ram, b,T, ovl, mar, res, ~FETCH_addr) I 

(update. reg regs (DSF rep ins) b sval, m, ins, din, dout, ram, 
bitO rep (EL (bt2.val(RSF rep ins)) regs), F, F, mar, sval, 
add.bt7 mpc 1)" 

save_thm( ‘ SHRB_u2 c , EXPAND.LET.RULE SHRB_u2) ; ; 

X 

Micro instruction 19: - goto fetch (NOOP) 



X 

Micro instruction 20: AXY.WRITE 



X 

Micro instruction 21: SHLB - destreg := shifted value 

f/ 

let SHLB_u2 = new.def inition 
('SHLB.u2‘ , 

M ! (rep:“rep_ty) (regs : (*wordn) list ) (m ins din dout:*yordn) (ram : *memory) 
(b stop ovl rbool ) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

SHLB. u2 rep (regs ,m, ins , din, dout , ram, b, stop, ovl , mar , res , mpc) (reset) = 
let sval = shlb rep ((EL (bt2_val(RSF rep ins)) regs), b) in 

stop => (regs, m, ins, din, dout, ram,b,T, ovl, mar, res, “FETCH.addr) I 

(update.reg regs (DSF rep ins) b sval, m, ins, din, dout, ram, 
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bitn rep CEL (bt2_val(RSF rep ins)) regs) , F, F, mar, sval , 
add_bt7 mpc 1)" 

);; 

save_thm ( ‘ SHLB_u2 ‘ ,EXPAND_LET_RULE SHLB_u2) ; ; 

% 

Micro instruction 22: - goto fetch (NOOP) 






Micro instruction 23: fetch m : KF=0 - goto mfOl 

’/. 

let MF0_ul = nev.def inition 
( ‘ MF0_ul ‘ , 

" ! (rep: *rep_ty) (regs : (*sordn) list) (m ins din dout:*wordn) (ram: ‘memory) 
(b stop ovl :bool) (mar : ‘address) (res:‘wordn) (mpc:bt7) 

(reset : bool) . 

MFO.ul rep (regs, m , ins, din , dout , ram, b, stop, ovl, mar, res, mpc) (reset) = 

stop *> (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, *FETCH_addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, *MF01_addr )" 

);; 

save_thm( ‘MFO.ul * ,EXPAND_LET_RULE MF0_ul); ; 


% 

Micro instruction 24: fetch m : MF=1 - goto mfll 



let MFl_ul = new^def inition 
( ‘MFl_ul 1 , 

»» ! (rep: ~rep_ty) (regs : (*wordn) list) (m ins din dout : *wordn) (ram: ♦memory) 
(b stop ovl: bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset ;bool) . 

MF1 ul rep (regs, m, ins, din, dout, ram, b, stop, ovl, mar, res, mpc) (reset) — 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, "FETCH.addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, 'MFll_addr ) n 

);; 

save_thm( l MFl_ul ‘ , EXPAND_LET_RULE MFl.ul) ; ; 


Micro instruction 25: fetch m : MF=2 - goto mf21 

% 

let MF2_ul * new_def inition 
( < MF2_ul * , 

m i (rep: “rep.ty) (regs : (*sordn) list ) (m ins din dout : *wordn) (ram : *memory ) 
(b stop ovl: bool) (mar : *address ) (res:*wordn) (mpc:bt7) 
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(reset ; bool) . 

MF2_ul rep (regs ,m, ins , din .dout , ram ,b , stop , ovl , mar ,res,mpc) (reset) * 
stop => (regs ,m, ins , din, dout , ram, b,T, ovl ,mar ,res , ‘FETCH.addr) 1 

(regs, m , ins, din, dout , ram, b, F, F, mar, m, ~MF21_addr )" 

);; 

save_thm( < HF2_ul * , EXPAND.LET.RULE MF2_ul) ; ; 


X 

Micro instruction 26: fetch m : MF=3 - M := addr 

y 

let MF3_ul - new.def inition 
( *MF3_ul c , 

" ! (rep: ‘rep.ty) (regs: (*wordn) list ) (m ins din dout : *wordn) (ram: *memory) 
(b stop ovl:bool) (mar : ^address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

MF3_ul rep (regs ,m, ins, din, dout , ram, b, stop, ovl, mar , res, mpc) (reset) = 
stop => (regs , m , ins , din, dout , ram , b , T , ovl , mar , res , ‘FETCH.addr) I 

(regs, pad rep (address rep ins), ins, din, dout, ram, b, F, F, 
mar, pad rep (address rep ins), add_bt7 mpc 1)" 

);; 

save_thm(‘MF3_ul‘ , EXPAND.LET.RULE MF3_ul); ; 


X 

Micro instruction 27: fetch m : MF=3 - addr := m + y 

y 

let MF3_u2 = neF.def inition 
(‘MF3_u2‘ , 

M ! (rep : ‘rep.ty ) (regs : (*wordn) list ) (m ins din dout:*wordn) (ram: *memory) 
(b stop ovl:bool) (mar : ^address) (res:*?ordn) (mpc:bt7) 

(reset :bool) . 

MF3_u2 rep (regs, m, ins , din, dout , ram, b, stop, ovl , mar , res, mpc) (reset) = 
let mplusy = add rep ((EL y.reg regs) ,m) in 

stop => (regs, ra, ins , din, dout , ram, b,T, ovl , mar , res, ‘FETCH. addr) I 

(regs,m, join rep (opcode rep ins, address rep mplusy), din, 
dout, ram, b, F, aovfl rep ((EL y.reg regs), m, mplusy), 
mar, mplusy, add_bt7 mpc D" 

);; 

save.thm ( * MF3.u2 ‘ ,EXPAND_LET_RULE MF3_u2) ; ; 


7. 

Micro instruction 28: fetch m : MF=3 - check if addr > 20 bits (FETCH_u3) 

7 . 
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Micro instruction 29: fetch m : MF=3 - get word from mem(addr) 



let MF3.u4 * new.def inition 
(‘MF3.u4.def ‘ , 

n ! (rep: ~rep_ty) (regs : (*wordn) list ) (m ms din dout : *vordn) (ram : *memory ) 
(b stop ovl : bool) (mar : *address) (res:*vordn) (mpc:bt7) 

(reset :bool) . 

MF3.u4 rep (regs ,m, ins , din , dout , ram, b , stop, ovl , mar ,res,mpc) (reset) = 
stop => (regs , m , ins , din , dout , ram , b , T , ovl ,mar , res , “FETCH. addr) I 

(regs, m, ins, fetch rep (ram, address rep ins), dout, ram, 
b, F, F, address rep ins, m, add_bt7 mpc 1) 

);; 

save.thm( ‘MF3.u4 1 ,EXPAND_LET.RULE MF3_u4) ; ; 


Micro instruction 30: fetch m : MF=3 - read word into m register 



let MF3_u5 = new.def inition 
( ‘MF3_u5.def 1 , 

"! (rep: “rep.ty) (regs : (*wordn) list) (m ins din dout: *wordn) (ram: *memory) 

(b stop ovlrbool) (mar :* address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

MF3.u5 rep (regs ,m, ins , dm, dout , ram, b, stop, ovl, mar , res, mpc) (reset) = 
stop => (regs ,m , ins , din, dout , ram ,b,T,ovl ,mar ,res , “FETCH. addr) I 

(regs, din, ins, din, dout, ram, b, F, F, mar, m, add_bt7 mpc 1) 

);; 

save.thm ( 1 MF3_u5 ‘ , EXPAND.LET.RULE MF3.u5) ; ; 

% 

Micro instruction 31: fetch m : MF=3 - goto base+opc wait 1 cycle 

% 

let MF3.u6wl = new.def init ion 

( ‘ MF3.u6wl ‘ , 

” ! (rep: “rep.ty) (regs : (*wordn) list) (m ins din dout : *wordn) (ram: *memory) 
(b stop ovl : bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

MF3.u6wl rep (regs ,m, ins, din, dout, ram, b, stop, ovl, mar, res, mpc) (reset) = 
stop => (regs , m , ins , din , dout , ram , b , T , ovl ,mar , res , * FETCH.addr ) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, “wait.O.addr) " 

);; 

save.thm ( ‘MF3_u6wl ‘ ,EXPAND_LET_RULE MF3_u6wl) ; ; 
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■ 7 . 


Micro instruction 32: fetch n : MF=0 - M addr wait 4 cycles 


let MF3_ulw4 = new.def inition 
(‘MF3_ulw4‘, 

n !(rep:“rep_ty) (regs : (*wordn) list) (m ins din dout :*wordn) (ram: *memory) 
(b stop ovl :bool) (mar :* addr ess) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

MF3_ulw4 rep (regs ,m, ins , din, dout , ram, b, stop, ovl ,mar, res, mpc) (reset) = 
stop => (regs ,m , ins , din, dout , ram, b,T, ovl , mar , res , ~FETCH_addr) I 

(regs, pad rep (address rep ins), ins, din, dout, ram, b, F, F, 
mar, pad rep (address rep ins), ~wait_4_addr) " 

);; 

save_thm(‘MF3_ulw4 < ,EXPAND_LET_RULE MF3_ulw4) ; ; 



Micro instruction 33: fetch m : MF=0 - goto base+opc (MF3_u6) 

x 


7 . 

Micro instruction 34: fetch m : MF*1 - get word from mem(addr) (MF3_u4) 




7 . 

Micro instruction 35: fetch m : MF=1 - read word into m register wait 3 cycles 



let MF3_u5w3 = new_def init ion 

( £ MF3_u5w3_def ‘ , 

M ! (rep : ~rep_ty) (regs : (*wordn) list ) (m ins din dout : ♦wordn) (ram: *memory) 

(b stop ovl:bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

MF3_u5w3 rep (regs , m , ins , din , dout , ram ,b , stop , ovl ,mar , res , mpc ) (reset) = 
stop -> (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, ~FETCH_addr) I 

(regs, din, ins, din, dout, ram, b, F, F, mar, m, ~wait_3_addr) " 

);; 

save - thm( < MF3.u5w3 < , EXP AND. LET_ RULE MF3_u5w3) ; ; 



Micro instruction 36: fetch m : MF=1 - goto base+opc (MF3_u6) 

% 


7 . 

Micro instruction 37: fetch m : MF=2 - M := addr (MF3_ul) 


■ 7 . 


Micro instruction 38: fetch m : MF-2 - addr m + x 
*/. 

let MF2_u3 « new.def inition 
( ‘MF2_u3 * , 

" ! (rep: ~rep_ty) (regs: (‘wordn) list) (m ins din dout:**ordn) (ram: ‘memory) 
(b stop ovl :bool) (mar : ‘address) (res : ‘wordn) (mpc:bt7) 

(reset : bool) . 

MF2 u3 rep (regs ,m, ins , din , dout , ram, b, stop, ovl, mar , res, mpc) (reset) - 
let mplusx = add rep ((EL x.reg regs) ,m) in 

stop => (regs , m , ins , din ,dout , ram , b , T , ovl , mar , res , FETCH_addr) I 

(regs ,m, join rep (opcode rep ins, address rep mplusx), din, 
dout, ram, b, F, aovfl rep ((EL x.reg regs), m, mplusx), 
mar, mplusx, add_bt7 mpc 1) M 

);; 

save_thm( < MF2_u3 ‘ , EXPAND. LET.RULE MF2_u3) ; ; 


X 

Micro instruction 39: fetch m : MF=2 - check if addr > 20 bits (FETCH_u3) 
% 


X 

Micro instruction 40: fetch m : MF=2 - get word from mem(addr) (MF3_u4) 

X 


x 

Micro instruction 41: fetch m : MF=2 - read word into m register (MF3_u5) 

x 


x 

Micro instruction 42: fetch m : MF=2 - goto base+opc (MF3_u6) 




Micro instruction 43: COMPARE - goto comparel 



let COMPARE.ul = new_def inition 
( ‘ COMPARE.ul 4 , 

«• ! (rep: "rep_ty) (regs : (*wordn) list) (m ins din dout: *wordn) (ram: *memory) 

(b stop ovl: bool) (mar : ♦address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

C0MPARE_ul rep (regs ,m, ins , din, dout , ram, b, stop, ovl , mar, res , mpc) (reset) 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, ~FETCH_addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, ~ COMPARER addr )" 

);; 

save_thm( ‘ C0MPARE_ul * , EXPAND_LET_RULE COMPARE.ul) ; ; 
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I 


Micro instruction 44: WRITEMEM - goto writememl 



let WRITEMEM^ul = new.def inition 

( ‘ WRITEMEM.ul ‘ , 

" ! (rep : ~rep_ty ) (regs : Owordn) list) (m ins din dout:*wordn) (ram: *memory ) 
(b stop ovl : bool ) (mar : ^address) (res : *wordn) (mpc:bt7) 

(reset :bool) . 

WRITEMEM_ul rep (regs ,m, ins ,din,dout , ram, b, stop, ovl, mar , res, mpc) (reset) 
stop => (regs, m,ins, din, dout, ram, b,T, ovl, mar, res , “FETCH. addr) | 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, “ WRITEMEM l_addr) 

);; 

save_thm(‘VRITEMEM_ul ‘ ,EXPAND_LET.RULE WRITEMEM.ul) ; ; 



Micro instruction 45: WRITEIO - goto writeiol 



let WRITEIO.ul = new.def inition 

( ‘ WRITEIO.ul 1 , 

•(rep: rep.ty) (regs : (*wordn) list) (m ins din dout : *wordn) (ram: ♦memory) 
(b stop ovl:bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

WRITEIO_ul rep (regs ,m, ins , din, dout , ram, b, stop, ovl , mar , res , mpc) (reset) = 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, “FETCH.addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, “WRITEIOl.addr )' 

);; 

save_thm( ‘ WRITEIO.ul * , EXPAND_LET_RULE WRITEIO.ul) ; ; 



Micro instruction 46: NEG - goto negl 



let NEG.ul = new.def inition 

(‘NEG_ul‘, 

" ! (rep:“rep_ty) (regs : (*wordn)list) (m ins din dout:*wordn) (ram: *memory) 

(b stop ovl:bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

NEG_ul rep (regs ,m, ins , din, dout , ram, b, stop, ovl, mar , res, mpc) (reset) = 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, “FETCH.addr) | 

(regs, m , ins, din, dout, ram, b, F, F, mar, m, “NEGl.addr )" 

);; 

save_thm(‘NEG_ul‘ ,EXPAND_L£T_RULE NEG.ul) ; ; 



Micro instruction 47 : CALL - goto calll 

* 

let CALL_ul * new_def inition 
( ‘ CALL_ul 4 , 

M ! (rep: *rep_ty) (regs : (*wordn)list) (m ins din dout:^wordn) (ram: ♦memory) 
(b stop ovlibool) (mar : ♦address) (res:^wordn) (mpc:bt7) 

(reset :bool) . 

CALL.ul rep (regs ,m, ins , din, dout , ram, b, stop, ovl , mar, res ,mpc) (reset) = 
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,“FETCH_addr) I 

(regs, m, ins, din, dout , ram, b, F, F, mar, m, ~CALLl_addr )** 

) ; ; 

save_thm(‘CALL_ul< , EXP AND_LET_RULE CALL.ul) ; ; 


Micro instruction 48: READIO - goto readiol 



let READICLul = new_def init ion 
( 1 READI0_ul 4 , 

M ! (rep: *rep_ty) (regs : (♦»ordn)list) (m ins din dout: ♦wordn) (ram: *memory) 

(b stop ovl:bool) (mar :♦ address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

READICLul rep (regs, m, ins, din, dout , ram, b,stop, ovl, mar , res, mpc) (reset) = 
stop => (regs ,m , ins , din, dout , ram ,b,T , ovl , mar , res , ~FETCH_addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, “READIO Laddr )" 

);; 

save_thm( ‘READIO.ul ‘ , EXP AN D_ LET . RULE READIO.ul) ; ; 


Micro instruction 49: READMEM “ goto readmeml 



let RE ADMEM.u 1 * nev_def init ion 
( * READMEM.ul * , 

■»! (rep: “rep.ty) (regs : (♦wordn)list) (m ins din dout:*wordn) (ram: ♦memory) 

(b stop ovl:bool) (mar : ♦address) (res:+vordn) (mpc:bt7) 

(reset : bool) . 

READMEM.ul rep (regs ,m, ins , din, dout , ram, b, stop, ovl, mar, res , mpc) (reset) = 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, “FETCH.addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, “ READMEM l_addr )" 

);; 

save_thm( ‘READMEM.ul ‘ , EXPAND. LET_RULE READMEM.ul) ; ; 

% 
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Micro instruction 50: ADDB - goto addbl 


let ADDB_ul = new_def inition 
( ‘ ADDB^ul ‘ , 

M ! (rep;“rep_ty) (regs : (*wordn)list) (m ins din dout:*wordn) (ram: *memory) 
(b stop ovl : bool ) (mar :* address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

ADDB_ul rep (regs ,m, ins , din, dout , ram, b, stop, ovl , mar , res, mpc) (reset) = 
stop => (regs, m, ins, din, dout , ram, b,T, ovl , mar, res , “FETCH.addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, “ADDBl.addr ) M 

);; 


save_thm( ‘ ADDB_ul ‘ , EXPAND_LET_RULE ADDB.ul ) ; ; 


i 

Micro instruction 51: ADDS - goto addsl 


let ADDS_ul - new_def inition 
(‘ADDS_ul‘ , 

! (rep: rep_ty) (regs : (*wordn) list) (m ins din dout:*vordn) 
(b stop ovl : bool ) (mar : ^address) (res:*wordn) (mpc:bt7) 
(reset : bool) . 


7 . 


(ram : ♦memory) 


ADDS.ul rep (regs ,m, ins, din, dout , ram, b, stop, ovl, mar, res, mpc) (reset) = 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, ~FETCH_addr) I 


);; 


(regs, m, ins, din, dout, ram, b, F, F, mar, m, ~ADDSl_addr )•' 


save_thm(‘ADDS_ul‘ , EXPAND_LET_RULE ADDS_ul) ; ; 

% 

Micro instruction 52: SUBB - goto subbl 

let SUBB_ul = nev.def inition 
( ‘SUBB.ul ‘ , 

" ! (rep: "rep.ty J (regs : (*wordn) list) (m ins din dout : *Hordn) (ram:*nemory) 
(b stop ovl :bool) (mar:*address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

SUBB.ul rep (regs ,m, ins , din, dout .ram.b, stop, ovl , mar .res.mpc) (reset) = 
stop => (regs , m , ins , din , dout , ram , b , T , ovl ,mar , res , * FETCH_addr) | 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, “SUBBl.addr )" 

);; 

save_thm(‘ SUBB.ul' , EXP AND. LET. RULE SUBB.ul) ; ; 



Micro instruction 53: SUBS — goto subsl 


* 

let SUBS_ul * nev_def inition 
(<SUBS_ul‘ , 

»» j (rep : ~rep_ty ) (regs : (*wordn) list) (m ins din dout:+wordn) (ram: *memory) 
(b stop ovl : bool) (mar : ♦address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

SUBS.ul rep (regs, m , ins , din, dout, ram, b, stop, ovl, mar, res, mpc) (reset) = 
stop *> (regs ,m, ins, din, dout, ram, b,T, ovl, mar , res, "FETCH.addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, ‘SUBSl_addr ) M 

);; 

save_thm( ‘SUBS.ul 1 , EXPAND_LET_RULE SUBS.ul);; 




Micro instruction 54: XOR - goto xorl 



let X0R_ul = new.def inition 

(‘xor_ui‘ , 

" ! (rep : ~rep_ty) (regs : (*wordn) list ) (m ins din dout:*wordn) (ram: ♦memory) 
(b stop ovl : bool) (mar : ♦address) (res:+wordn) (mpc:bt7) 

(reset :bool) . 

X0R_ul rep (regs, m, ins , din, dout , ram, b , stop, ovl, mar, res, mpc) (reset) * 
stop => (regs, m, ins, din, dout , ram, b,T, ovl, mar, res, “FETCH.addr) l 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, "XORl.addr )" 

);; 

save_thm(‘XOR_ul £ ,EXPAKD J-ETJIULE X0R_ul) ; ; 


Micro instruction 55: AND - goto andl 



let AND„ul * new.def inition 
( £ AND_ul * , 

M ! (rep:~rep_ty) (regs : (♦wordn) list) (m ins din dout: ♦wordn) (ram: ♦memory) 
(b stop ovl :bool) (mar : ♦address) (res:+wordn) (mpc:bt7) 

(reset :bool) . 

AND.ul rep (regs ,m, ins , din, dout , ram, b, stop, ovl, mar , res, mpc) (reset) = 
stop => (regs, m, ins, din, dout , ram, b,T, ovl, mar, res, ~FETCH_addr) 1 

(regs, m, ins, din, dout, ram, b, F, F, mar, m» ~ANDl_addr )" 

);; 

save_thm ( ' AND_ul ‘ , EXPAND.LET^RULE AND.ul) ; ; 



Micro instruction 56: NOR - goto norl 
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let NOR_ul = new.def inition 
( ‘NDR_ul 1 , 

M ! (rep: ~rep_ty) (regs : (*wordn)list ) (m ins din dout:*wordn) (ram: *memory) 
(b stop ovl:bool) (mar :* address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

N0R_ul rep (regs ,m, ins , din, dout , ram, b, stop, ovl , mar , res, mpc) (reset) = 
stop => (regs, m, ins , din, dout, ram, b,T, ovl, mar, res," FETCH_addr) I 

(regs, m» ins, din, dout, ram, b, F, F, mar, m, "NORl.addr ) " 

);; 

save_thm( < HOR_ul < , EXPAND_LET_RULE NOR.ul); ; 


X 

Micro instruction 58: ANDMBAR - goto fetch (NOOP) 
, X 


X 

Micro instruction 59: COMPARE - b := compare (r,m) 

X 

let C0MPARE_u2 - new.def ini t ion 
( ‘ C0MPARE_u2 ‘ , 

" ! (rep: “rep.ty) (regs : (*wordn)list) (m ins din dout : *wordn) (ram :* memory) 

(b stop ovl: bool) (mar :* address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

C0MPARE_u2 rep (regs ,m, ins ,din, dout , ram, b, stop, ovl , mar, res, mpc) (reset) = 
stop => (regs ,m, ins ,din,dout , ram, b,T, ovl , mar , res , * FETCH_addr) I 
(regs, m, ins, din, dout, ram, 

bcmp rep ((EL (bt2_val(RSF rep ins)) regs) ,m,b,FSF rep ins), F, 
F, mar, m, add_bt7 mpc 1)" 

);; 

save_thm( ‘ C0MPARE_u2 ‘ , EXPAND_LET_RULE C0MPARE_u2) ; ; 


Micro instruction 60: COMPARE - goto fetch (N00P) 
% 


7 . 


Micro instruction 61: WRITEMEM - write r to -address ins [0.. 19] in memory 


let WRITEMEM..U2 = new_def inition 
(‘WRITEMEM_u2‘ , 


■X 


M i (rep : ~rep_ty) (regs : (*wordn) list ) (m ins din dout : *wordn) (ram : *memory) 
(b stop ovl:bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

WRITEMEM_u2 rep (regs , m , ins , din, dout , ram ,b , stop, ovl , mar , res , mpc) (reset) » 


stop => (regs,m, ins, din, dout , ram, b,T,ovl,mar, res, “FETCH. addr) I 
(regs, m, ins, din, EL (bt2_val(RSF rep ins)) regs, 
store repCram, address rep ins, EL (bt2_val(RSF rep ins)) regs), 
b, F, F, address rep ins, m, add.bt7 mpc 1)*' 

);; 

save_thm( 1 WRITEMEM_u2 ‘ , EXPAND.LET.RULE WRITEMEM_u2) ; ; 

7. 

Micro instruction 62: WRITEMEM - goto fetch (NOOP) 

7. 


7 . 

Micro instruction 63: WRITEXO - write r to address ins [0 . . 19] in io 

y. 

let WRITEI0_u2 = new. definition 
(‘WRITEI0.u2‘ , 

s ' ! (rep : "rep.ty ) (regs : (*wordn) list ) (m ins din dout : *wordn) (ram: *memory) 
(b stop ovl :bool) (mar :* addr ess) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

WRITEI0.u2 rep (regs ,m, ins , din, dout , ram, b, stop, ovl , mar , res , mpc) (reset) = 
atop => (regs ,m, ins , din, dout , ram ,b,T» ovl , mar , res , "FETCH.addr) I 
(regs, m, ins, din, EL (bt2_val(RSF rep ins)) regs, 
storeio rep (ram, address rep ins, 

EL (bt2_val (RSF rep ins)) regs), 
b, F, F, address rep ins, m, add_bt7 mpc 1) M 

);; 

save_thm( < WRITEI0_u2 < , EXPAND.LET.RULE WRITEI0.u2) ; ; 

7. 

Micro instruction 64: WRITEIO - goto fetch (NOOP) 




Micro instruction 65: AXY.WRITE 




Micro instruction 66: NEGATE - destreg :* -m 



let NEGATE.u2 * new.def inition 
( 1 NEG ATE_u2 * , 

" ! (rep: “rep.ty) (regs : (*wordn)list) (m ins din dout:*wordn) (ram: *memory) 
(b stop ovl : bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

NEGATE. u2 rep (regs ,m, ins, din, dout , ram, b, stop, ovl, mar , res, mpc) (reset) = 
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stop => (regs ,m, ins , din, dout ,ram,b,T, ovl ,mar ,res , “FETCH. addr) I 

(update.reg regs (DSF rep ins) b (neg rep m) , m, ins, din, dout , 
ram, b, F, F, mar, (neg rep m) , add_bt7 mpc 1)" 


save.thm ( ‘ NEGATE.u2 * , EXPAND. LET. RULE NEGATE_u2) ; ; 


X 

Micro instruction 67: NEGATE - goto fetch (NOOP) 

x 


X 

Micro instruction 68: CALL - y := 


let CALL.u2 = new.def inition 
( < CALL_u2‘ , 

"! (rep:“rep.ty) (regs : (♦wordn) list) (m ins din dout: ♦wordn) 
(b stop ovl : bool ) (mar : ♦address) (res: ♦wordn) (mpc:bt7) 
(reset : bool) . 


■X 


(ram : ♦memory) 


CALL_u2 rep (regs ,m, ins , din, dout , ram, b, stop, ovl , mar, res , mpc) (reset) = 

stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, “FETCH.addr) I 

(update. reg regs (F,T,F) b (EL p.reg regs), m, ins, din, dout, 
ram, b, F, F, mar, (EL p.reg regs), add_bt7 mpc 1)" 


save.thm( t CALL_u2 < , EXPAND.LET.RULE CALL.u2) ; ; 

X 

Micro instruction 69: CALL - p := m 

let CALL.u3 = new.def inition 
( ‘CALL.U3* , 

■ (rep* rep.ty) (regs : (♦wordn) list) (m ins din dout: ♦wordn) (ram : ♦memory) 
(b stop ovl :bool) (mar : ♦address) (res: ♦wordn) (mpc:bt7) 

(reset : bool) . 

CALL.u3 rep (regs ,m, ins , din , dout , ram, b, stop, ovl , mar, res , mpc) (reset) = 
stop *> (regs, m.ins, din, dout, ram, b,T, ovl, mar, res, “FETCH.addr) | 

(update.reg regs (F,T,T) b m, m, ins, din, dout, ram, b, F, F, 
mar, m, add.bt7 mpc D" 

);; 


save.thm (‘CALL.u3‘ .EXPAND.LET.RULE CALL_u3) ; ; 




Micro instruction 70: CALL - check msb 12 bits of res (FETCH.u3) 




Micro instruction 71: CALL - goto fetch (NOOP) 

7 . 




Micro instruction 72: READIO - get word from io(addr) 

7. 

let READI0_u2 = new.def inition 
(‘READI0_u2_def 1 , 

" ! (rep: *rep_ty) (regs: (*wordn) list) (m ins din dout:*wordn) (ram:*memory) 
(b stop ovl:bool) (mar :*address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

READI0_u2 rep (regs ,m, ins, din, dout , ram, b, stop, ovl, mar , res ,mpc) (reset) - 
stop => (regs ,m, ins , din, dout , ram,b,T,ovl ,mar ,res , "FETCH.addr) I 

(regs, m, ins, fetchio rep (ram, address rep ins), dout, ram, 
b, F, F, address rep ins, m, add_bt7 mpc 1) 

):: 

save_thm(‘READI0.u2‘ ,EXPAND_LET_RULE READI0_u2) : ; 

X 

Micro instruction 73: READIO - read word into m register (MF3_u5) 





Micro instruction 74: READIO - destreg := m 

READI0_u4 rep (regs ins, din, dout , ram, b, stop , ovl, mar, res, mpc) (reset) 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, -FETCH.addr) I 
(update.reg regs (DSF rep ins) b m, m, ins, din, dout, 
ram, b, F, F, mar, m, add.bt7 mpc 1) 

7. 


let READI0_u4 = new.def inition 
( ‘ READI0_u4‘ , 

" ! (rep: "rep.ty) (regs : (*wordn) list) (m ins din dout : *wordn) (ram: *memory) 
(b stop ovl :bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

READI0_u4 rep (regs ins, din, dout , ram, b, stop, ovl, mar, res, mpc) (reset) 

let new_stop = ( (DSF rep ins = (F,T,T)) \/ 

(DSF rep ins = (T,F,F)) \/ 

(DSF rep ins = (T,F,T)) \/ 

(DSF rep ins = (T,T,F)) \/ 

(DSF rep ins = (T,T,T)) ) in 

stop => (regs ,m, ins, din, dout , ram, b,T, ovl , mar, res , FETCH^addr) I 

( (new.stop => regs I update.reg regs (DSF rep ins) b m) , 


200 


m, ins, din, dout , ram, b, new.stop, 

(new_stop => ovl I F) , mar, 

(new_stop => res | m) , 

(new.stop => (F, F,F, F,F, F, F) 1 add_bt7 mpc 1) ) M 


save_thm(‘READI0_u4 £ , EXPAND.LET.RULE READI0_u4) ; ; 

X 

Micro instruction 75: READIO - goto fetch (NOOP) 


■X 


X 

Micro instruction 76: READHEM - destreg := m (READI0_u4) 


let READMEM_u2 = new_def inition 
( ‘ READMEM_u2 ‘ , 


11 ! (rep: rep_ty) (regs : (*wordn) list) (m ins din dout:*wordn) (ram : *memory) 
(b stop ovl: bool) (mar : ♦address) (res : ♦wordn) (mpc:bt7) 

(reset : bool) . 

READMEM_u2 rep (regs, m, ins, din, dout , ram, b, stop, ovl, mar, res, mpc) (reset) * 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, ~FETCH_addr) I 
(update.reg regs (DSF rep ins) b m, m, ins, din, dout, 
ram, b, F, F, mar, m, add_bt7 mpc 1)" 


save_thm( ‘READMEM_u2‘ , EXPAND_LET_RULE READMEM_u2) ; ; 


X 

Micro instruction 77: READMEM - check if dest=p /\ result > 20 bits 


This use to be SHLB_u2 


X 


let CK_VALID_PC = new.def inition 
( ‘ CK_VALID_PC ‘ , 

M !(rep: rep_ty) (regs : (*¥ordn) list) (m ins din dout:*wordn) (ram: *memory) 

(b stop ovl: bool) (mar : ♦address) (res:*¥ordn) (mpc:bt7) 

(reset : bool) . 

CK_VALID_PC rep (regs ,m , ins , din, dout , ram, b , stop, ovl , mar , res , mpc) (reset) = 
let new.stop * (((DSF rep ins = (T,T,F)) \/ 

(DSF rep ins = (T,T,T) ) ) \/ 

('(((DSF rep ins = (T,F,F) ) /\ ~b) \/ 

((DSF rep ins - (T, F ,T) ) /\ b) ) /\ 

((DSF rep ins = (F,T,T) ) \/ 

(DSF rep ins = (T,F,F) ) \/ 
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(DSF rep ins = (T,F,T))) A 

“ (valid_address rep res) )) in 

stop => (regs, m, ins, din, dout ,ram,b,T,ovl,mar,res,“FETCH_addr) I 
(regs, m, ins, din, dout , ram, b, new_stop, 

(new_stop => ovl I F), mar, 

(new.stop => res I m) , 

(newest op => (F , F, F,F, F,F,F) I add_bt7 mpc 1>) M 

);; 

save_thm ( * CK_VALID_PC ‘ , EXPAND_LET_RULE CK.VALID _PC) ; ; 

7 . 

Micro instruction 78: READMEM - goto fetch (NOOP) 


Micro instruction 79: ADDB - destreg : = r+m; b: -carry 

7 . 

let ADDB_u2 = nev.def inition 
( ‘ ADDB_u2‘ , 

" ! (rep : "rep_ty) (regs : (*yordn) list) (m ins din dout:*wordn) (ram: *memory) 
(b stop ovl: bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

ADDB_u2 rep (regs ,m, ins, din, dout , ram, b, stop, ovl , mar, res, mpc) (reset) = 
let rplusm = (add rep ((EL (bt2_val(RSF rep ins)) regs),m)) in 
let new_stop = ( (DSF rep ins = (F,T,T)) \/ 

(DSF rep ins = (T,F,F)) \/ 

(DSF rep ins = (T,F,T)) \/ 

(DSF rep ins = (T,T,F)) \/ 

(DSF rep ins - (T,T,T)) ) in 

stop *> (regs, m, ins, din, dout , ram, b,T, ovl, mar, res, ~FETCH_addr) I 

( (new_stop => regs I update_reg regs (DSF rep ins) b rplusm) , 
m, ins, din, dout, ram, 

(new_stop *> b i 

ad dp rep( (EL (bt2_val(RSF rep ins)) regs) ,m, rplusm) ) , 
nes_stop , 

(new.stop => ovl | 

aovfl rep ((EL (bt2_val(RSF rep ins)) regs), m, rplusm)), 

mar , 

(new.stop => res I rplusm) , 

(new.stop *> (F,F,F,F,F,F,F) I add_bt7 mpc 1) ) M 

);; 

save_thm(‘ADDB_u2‘ ,EXPAND_LET_RULE ADDB_u2) ; ; 
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X 

Micro instruction 80: ADDB - goto fetch (N00P) 


X 


X 

Micro instruction 81: ADDS - destreg := r+m 

x 

let ADDS_u2 = new_def inition 
( ‘ ADDS_u2‘ , 

! (rep : rep_ty) (regs : (♦wordn) list) (m ins din dout:*wordn) (ram: ♦memory) 
(b stop ovl : bool ) (mar : *address) (res: ♦wordn) (mpc:bt7) 

(reset :bool) . 

ADDS_u2 rep (regs ,m, ins , din, dout , ram, b, stop, ovl , mar , res ,mpc) (reset) = 
let rplusm = (add rep ((EL (bt2_val(RSF rep ins)) regs),m)) in 

stop => (regs, m,ins, din, dout , ram, b,T, ovl, mar, res , “FETCH. addr) I 

(update.reg regs (DSF rep ins) b rplusm, m, ins, din, dout, ram, 
b, F, aovfl rep ((EL (bt2_val (RSF r.ep ins)) regs), m, rplusm), 
mar, rplusm, add_bt7 mpc 1)" 

);; 


save_thm(‘ADDS.u2‘ ,EXPAND_LET_RULE ADDS_u2) ; ; 



Micro instn 82: CK.VALID.PC 

X 

Micro instn 83: N0_0VL 


Micro instruction 84: ADDS - goto fetch (N00P) 


Micro instruction 85: SUBB - destreg := r-m; b:=borrow 

x 

let SUBB.u2 = new.def inition 
(<SUBB_u2‘ , 

”!(rep:‘rep_ty) (regs: OvordiOlist) (m ins din dout:*oordn) (ram:*memory) 
(b stop ovl: bool) (mar : ‘address) (res:»sordn) (mpc:bt7) 

(reset:bool). 

SUBB_u2 rep (regs ,m, ins , din , dout , ram, b, stop , ovl ,mar, res, mpc) (reset) = 
let rminusm = (sub rep ((EL (bt2_val(RSF rep ins)) regs),m)) in 
let nes.stop = ( (DSF rep ins = (F,T,T) ) \/ 

(DSF rep ins = (T.F.F) ) \/ 
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(DSF rep ins * (T,F,T)) \/ 

(DSF rep ins = (T,T,F)) \/ 

(DSF rep ins = (T,T,T)) ) in 

stop => (regs ,m, ins, din, dout , ram, b,T,ovl,ipar, res, ~FETCH_addr) I 

( (new.stop => regs I update_reg regs (DSF rep ins) b rminusm ) , 
m, ins, din, dout , ram, 

(new_stop => b I 

subp rep ((EL (bt2_val(RSF rep ins)) regs) ,m, rminusm) ) , 
new.stop, 

(new.stop => ovl 1 

sovfl rep ((EL (bt2_val(RSF rep ins)) regs), m, rminusm)), 

mar , 

(net?_stop => res I rminusm) , 

(new_stop *> (F , F , F , F , F , F, F) I add_bt7 mpc 1) ) " 

);; 

save_thm(‘SUBB_u2‘ , EXPAND.LET.RULE SUBB.u2) ; ; 

% 

Micro instruction 86: SUBB - goto fetch (NODP) 

7 . 

7 * 

Micro instruction 87: SUBS - destreg := r-m 



let SUBS_u2 * new_def inition 
(‘SUBS_u2‘ , 

n ! (rep : "rep_ty ) (regs : (*wordn)list) (m ins din dout:*wordn) (ram: *memory) 

(b stop ovl:bool) (mar : ♦address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

SUBS_u2 rep (regs ,m, ins, din, dout , ram, b,stop,ovl , mar, res , mpc) (reset) = 
let rminusm = (sub rep ((EL (bt2_val(RSF rep ins)) regs),m)) in 

stop => (regs ,m , ins , din, dout , ram ,b,T,ovl , mar , res , FETCH_addr) 1 

(update.reg regs (DSF rep ins) b rminusm, m, ins, din, dout, ram, 
b, F, sovfl rep ((EL (bt2_val(RSF rep ins)) regs), m, rminusm), 
mar, rminusm, add_bt7 mpc 1)" 

);; 

save_thm( < SUBS_u2 < , EXP AND_LET_RULE SUBS_u2) ; ; 



Micro instn 88: CK_VALID_PC 

7 . 

7 , 

Micro instruction 89: N0_0VL 
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% 

Micro instruction 90: SUBS - goto fetch (NOOP) 

% 


% 

Micro instruction 91: XOR - destreg := r XOR m 

x 

let X0R_u2 = new_def inition 
( * X0R_u2 ‘ , 

” ! (rep: ~rep_ty) (regs : (*wordn) list) (m ins din dout : *wordn) (ram: *memory) 
(b stop ovl: bool) (mar : *address) (res : *vordn) (mpc:bt7) 

(reset :bool) . 

X0R_u2 rep (regs ,m, ins , din, dout ,ram,b , stop, ovl , mar ,res,mpc) (reset) * 
let nev_stop = ( (DSF rep ins = (F,T,T)) \/ 

(DSF rep ins = (T,F,F) ) V 
(DSF rep ins = (T, F,T) ) \/ 

(DSF rep ins = (T ,T ,F) ) \/ 

(DSF rep ins = (T,T,T) ) ) in 

let rxorm * (bxor rep ((EL (bt2_val(RSF rep ins)) regs),m)) in 

stop => (regs ,m , ins , din, dout ,ram,b,T, ovl , mar , res , ~FETCH_addr) l 

( (new^stop => regs I update_reg regs (DSF rep ins) b rxorm ), 
m, ins, din, dout , ram, b, new_stop, 

(new_stop => ovl I F) , mar, 

(new^stop *> res I rxorm) , 

(new_stop => (F, F, F, F ,F , F, F) j add_bt7 mpc 1) )" 

);; 

save_thm(‘X0R_u2‘ , EXPAND_LET_RULE X0R_u2) ; ; 

7 . 

Micro instruction 92: XOR - goto fetch (N00P) 
*1 


7 . 

Micro instruction 93: AND - destreg := r AND m 


let AND_u2 = new_def inition 
( < AND_u2 ‘ , 


" ! (rep: ~rep_ty) (regs : (*wordn) list) (m ins din dout : *wordn) (ram : *memory) 
(b stop ovl: bool) (mar : ♦address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

AND_u2 rep (regs ,m, ins , din, dout , ram, b , stop, ovl, mar , res, mpc) (reset) = 
let nev.stop = ( (DSF rep ins = (F,T,T)) \/ 

(DSF rep ins = (T, F, F) ) \/ 
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(DSF rep ins = (T, F,T) ) \/ 

(DSF rep ins = (T,T,F)) \/ 

(DSF rep ins = (T,T,T) ) ) in 

let randm = (band rep ((EL (bt2_val(RSF rep ins)) regs),m)) in 

stop => (regs, m, ins, din, dout, ram ,b,T, ovl, mar, res, ~FETCH_addr) i 

( (new.stop => regs I update.reg regs (DSF rep ins) b randm) , 
m, ins, din, dout, ram, b, new_stop, 

(new_stop => ovl I F), mar, 

(new.stop => res I randm) , 

(new.stop => (F,F,F,F,F,F,F) I add_bt7 mpc 1) )" 

);; 

save_thm(‘AND.u2 t ,EXPAND_LET_RULE AND_u2); ; 

*/. 

Micro instruction 94: AND - goto fetch (NOOP) 

*/ # 


y, 

Micro instruction 95: NOR * destreg := r NOR m 

y # 

let N0R_u2 - new_def init ion 
( * N0R_u2 ‘ , 

" ! (rep : ~rep_ty) (regs : (*wordn) list ) (m ins din dout:*wordn) (ram: *memory) 
(b stop ovl:bool) (mar : *address) (res:*uordn) (mpc:bt7) 

(reset: bool) . 

N0R_u2 rep (regs, m, ins, din, dout , ram, b, stop, ovl, mar , res, mpc) (reset) = 
let new.stop = ( (DSF rep ins = (F,T,T)) \/ 

(DSF rep ins = (T,F,F) ) \/ 

(DSF rep ins = (T,F,T) ) \/ 

(DSF rep ins = (T,T ,F) ) \/ 

(DSF rep ins = (T,T,T)) ) in 

let morn = (bnor rep ((EL (bt2_val(RSF rep ins)) regs),m)) in 

stop => (regs, m, ins, din, dout , ram, b,T, ovl , mao:, res, ~FETCH_addr) I 

( (new_stop => regs I update.reg regs (DSF rep ins) b morn) , 
m, ins, din, dout, ram, b, new_stop, 

(ne¥„stop => ovl I F) , mar, 

(new_stop => res | rnorm) , 

(neu_stop => (F,F,F,F,F,F,F) I add_bt7 mpc 1) ) 11 


) ; ; 


save_thm( ‘N0R_u2 ‘ , EXPAND_LET_RULE N0R_u2) ; ; 

y* 

Micro instruction 96: NOR - goto fetch (NOOP) 
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7 . 


X 

Micro instruction 97: wait 4 cycles 



let wait,4 = new, definition 

( ‘wait, 4* , 

M • (rep: ~rep,ty) (regs : (*wordn) list) (m ins din dout:*wordn) (ram: * memory) 

(b stop ovl:bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

wait_4 rep (regs ,m , ins ,din ,dout , ram ,b , stop, ovl ,mar ,res,mpc) (reset) = 
stop => (regs, m, ins, din, dout , ram, b,T, ovl, mar, res, "FETCH, addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, add,bt7 mpc 1 ) " 

);; 

save,thm(‘wait,4‘ , EXPAND,LET,RULE wait.4) ; ; 

% 

Micro instruction 98: wait 3 cycles 

y 

let wait_3 = new,def inition 

(‘ wait, 3 ‘ , 

M ! (rep: ~rep_ty) (regs : (*wordn) list) (m ins din dout : *wordn) (ram: ^memory) 

(b stop ovl:bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset : bool) . 

wait_3 rep (regs, m, ins, din, dout , ram, b, stop, ovl, mar ,res,mpc) (reset) * 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar , res , ‘FETCH, addr) | 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, add_bt7 mpc 1 ) M 

);; 

save,thm(‘wait„3‘ , EXPAND, LET_RULE wait, 3) ; ; 

X 

Micro instruction 99: wait 2 cycles 

y 

let wait_2 = new.def inition 

( ‘ wait_2 ‘ , 

" ! (rep: ~rep_ty) (regs : (*wordn) list) (m ins din dout;*wordn) (ram: ^memory) 

(b stop ovl:bool) (mar : *address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

wait, 2 rep (regs ,m , ins , din , dout , ram, b,stop, ovl , mar , res , mpc) (reset) = 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, “FETCH,addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, add_bt7 mpc 1 )'* 

);; 

save,thm( ‘wait ,2 ‘ ,EXPAND_LET_RULE wait, 2) ; ; 
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X 

Micro instruction 100: wait 1 cycle 

x 

let wait_l = new.def init ion 
( ‘ wait_l 1 , 

" ! (rep : “rep^ty) (regs : (*wordn) list ) (m ins din dout : *wordn) (ram: ^memory) 

(b stop ovlrbool) (mar : ♦address) (res:*¥ordn) (mpc:bt7) 

(reset :bool) . 

wait.l rep (regs ,m , ins , din , dout ,ram ,b ,stop ,ovl ,mar , res ,mpc) (reset) = 
stop (regs ,m, ins , din, dout , ram ,b,T, ovl , mar ►res, FETCH_addr) I 

(regs, m, ins, din, dout, ram, b, F, F, mar, m, add_bt7 mpc 1 ) n 

);; 

save_thm( ‘wait_l 1 , EXPAND_LET_RULE wait.l) ; ; 

X 

Micro instruction 101: MF3_u6 



let MF3_u6 = new_def inition 
( ‘MF3_u6 ‘ , 

•> j (rep: "rep.ty) (regs : (*wordn) list) (m ins din dout : *¥ordn) (ram: ♦memory) 

(b stop ovl : bool) (mar : *address) (res;*wordn) (mpc:bt7) 

(reset : bool) . 

MF3_u6 rep (regs ,m, ins , din , dout , ram, b , stop, ovl, mar , res, mpc) (reset) - 
stop => (regs, m, ins, din, dout, ram, b,T, ovl, mar, res, ~FETCH_addr) I 
(regs, m, ins, din, dout, ram, b, F, F, mar, m, 
add_bt7 ~BASE„addr 

(bt5_val (FST (SND(decode rep (opcode rep ins, b)))))) M 

);; 

save_thm( ‘MF3_u6‘ ,EXPAND_LET_RULE MF3_u6) ; ; 


X 

Micro instructions 102-127 : NOOP 

X 


let micro_state ■ " : ( (*wordn)list#*¥ordn#*¥ordn#*¥ordn#*wordn# 

*memory#bool#bool#bool#*address#*wordn#bt7) M ; ; 

let micro.env = ":bool M ;; 


x 

The micro.inst^list ¥ ill be used to instantiate inst.list in 
mk.micro .ml . 

X 

let micro_inst_list - new.def inition 
( ‘micro_inst_list ‘ , 

'*! rep : “rep_ty . 


208 


micro_inst_list rep = 

[((F,F,F,F,F,F ( F), ( FETCH. ul rep)) ; 

((F,F,F,F,F,F,T), ( FETCH. u2 rep)) ; 

((F,F,F,F,F,T,F),(FETCH_u3 rep)) ; 

((F,F,F,F,F,T,T), ( FETCH. u4 rep)) ; 

((F,F,F,F,T,F,F),(JHP_reqm rep)) ; 

((F,F,F,F,T,F,T), (JMP_opc rep)); 

((F,F,F,F,T,T,F),(NOOP rep)); 

((F,F,F,F,T,T,T), (SHRS.ul rep)); 

((F,F,F,T,F,F,F), (SHRB.ul rep)); 

((F,F,F,T,F,F,T),(SHLB_ul rep)); 

((F,F,F,T,F,T,F), ( AX Y_ WRITE rep)); 

((F,F,F,T,F,T,T), (SHLS_ul rep)); 

( (F.F.F.T.T.F.F) , (NO.OVL rep)); '/, this is still late! X 

((F,F,F,T,T,F,T), (NOOP rep)); 

((F,F,F,T,T,T,F) , (AXY_WRITE rep) ) ; 

((F,F,F,T,T,T,T),(SHRS_u2 rep)); 

((F,F,T,F,F,F,F), (NOOP rep)); 

((F,F,T,F,F,F,T), (AXY_WRITE rep)) ; 

((F,F,T,F,F,T,F) ,(SHRB_u2 rep)); 

((F,F,T r F,F,T,T),(N00P rep)); 

((F, F, T, F, T,F,F),( AX Y_ WRITE rep)) ; 

((F,F,T,F,T,F,T), (SHLB_u2 rep)); 

((F,F,T,F,T,T,F) , (NOOP rep)); 

((F,F,T,F,T,T,T) , (MF0_ul rep)); 

((F,F,T,T,F,F,F), (MFl_ul rep)); 

((F,F,T,T,F,F,T), (MF2_ul rep)); 

((F,F,T,T,F,T,F), (HF3_ul rep)); 

((F,F,T,T,F,T,T) , (MF3_u2 rep)); 

((F,F,T,T,T,F,F), (FETCH_u3 rep)); 

((F,F,T,T,T,F,T), (MF3_u4 rep)); 

((F,F,T,T,T,T,F), (MF3_u5 rep)); 

((F,F,T,T,T,T,T), (MF3_u6ol rep)) ; 

((F ( T,F,F,F,F,F), (MF3_uls4 rep)) ; 

((F.T.F.F.F.F.T), (MF3_u6 rep)); 

((F,T,F,F,F,T,F) , (MF3_u4 rep)); 

((F,T,F,F,F,T,T) , (MF3_u5w3 rep)) ; 

((F,T,F,F,T,F,F), (MF3_u6 rep)); 

((F,T,F,F,T,F,T), (MF3_ul rep)); 

((F,T,F,F ( T,T,F), (MF2_u3 rep)); 

((F,T,F,F,T,T,T), (FETCH_u3 rep)) ; 

( (F,T, F,T,F, F , F) , (MF3_u4 rep)); 
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((F,T,F,T,F,F,T), (MF3_u5 rep)); 
<(F,T,F,T,F,T,F),(MF3_u6 rep)); 
((F,T,F,T,F,T,T) , (COMPARE.ul rep)) ; 
((F,T,F,T,T,F,F), (WRITEMEM_ul rep)) ; 
((F,T,F,T,T,F,T) , (WRITEIO.ul rep)) ; 
((F,T,F,T,T,T,F),(NEG_ul rep)); 
((F,T,F,T,T,T,T), (CALL.ul rep)); 
((F,T,T,F,F,F,F) , (READIO.ul rep)) ; 
((F,T,T,F,F,F,T) , (READMEH.ul rep)) ; 
((F>T,T,F,F,T,F), (ADDB.ul rep)); 
((F,T,T,F,F,T,T) , (ADDS.ul rep)); 
<(F,T,T,F,T,F,F), (SUBB.ul rep)); 
((F,T,T,F,T,F,T), (SUBS.ul rep)); 
<(F,T,T,F,T,T,F),(XOR_ul rep)); 
((F,T,T,F,T,T,T), (AND_ul rep)); 
((F,T,T,T,F,F,F), (NOR_ul rep)); 
((F,T,T,T,F,F,T) , (ANDMBAR.ul rep)) ; 
((F,T,T,T > F,T,F),(NOOP rep)); 
((F,T,T,T,F,T,T) , (C0HPARE_u2 rep)) ; 
((F,T,T,T,T,F,F), (NOOP rep)); 
((F,T,T,T,T,F,T) , (WRITEMEM_u2 rep)) ; 
((F,T,T,T,T,T,F), (NOOP rep)); 
((F.T.T.T.T.T.T), (WRITEI0_u2 rep)) ; 
((T,F,F,F,F,F,F), (NOQP rep)); 
((T.F,F,F,F,F,T).(AXY_WRITE rep)) ; 
<(T,F,F,F,F,T,F) , (NEGATE_u2 rep)) ; 
((T,F,F,F,F,T,T),(N00P rep)); 
((T,F,F,F,T,F,F), (CALL_u2 rep)); 
((T,F,F,F,T,F,T), (CALL_u3 rep)); 
((T,F,F,F,T,T,F) , (FETCH_u3 rep)) ; 
((T,F,F,F,T,T,T), (NOOP rep)); 
((T,F,F,T,F,F,F), (READI0_u2 rep)) ; 
((T.F.F.T.F.F.T), (HF3_u5 rep)); 
((T,F,F,T,F,T,F), (READI0.u4 rep)) ; 
<(T,F,F,T,F,T,T),(N00P rep)); 
((T,F,F,T,T,F,F), (READMEH_u2 rep)) ; 
((T,F,F,T,T,F,T), (CK.VALXD.PC rep)) ; 
((T,F,F,T,T,T,F), (NOOP rep)); 
((T,F,F,T,T,T,T), (ADDB_u2 rep)); 
((T,F,T,F,F,F,F), (NOOP rep)); 
((T,F,T,F,F,F,T) , (ADDS_u2 rep)); 
((T,F,T,F,F,T,F) , (CK.VALID.PC rep)) ; 


210 



((T,F,T,F,F,T,T),(NO_OVL rep)); 
((T,F,T,F,T,F,F) , (NOOP rep)); 
((T,F,T,F,T,F,T), (SUBB_u2 rep)); 
((T,F,T,F,T,T,F), (NOOP rep)); 
((T,F,T,F,T,T,T),(SUBS_u2 rep)); 
((T,F,T,T > F,F,F),(CK_VALID_PC rep)) ; 
( (T,F,T,T,F, F,T) , (N0_0VL rep)); 
((T,F,T,T,F,T,F),(N00P rep)); 
((T,F,T,T,F,T,T), (X0R_u2 rep)); 
((T,F,T,T,T,F > F),(KOOP rep)); 
((T,F,T,T,T,F,T), (AND_u2 rep)); 
((T.F.T.T.T.T^F), (NOOP rep)); 
((T,F,T,T,T,T,T), (N0R_u2 rep)); 
((T > T,F,F,F,F,F),(N00P rep)); 
((T,T,F,F,F,F,T) , (yait_4 rep)); 

( (T,T,F,F , F ,T, F) , (wait_3 rep)); 
((T,T,F,F,F,T,T) , (wait_2 rep)); 
((T,T,F,F,T,F,F) , (oait_l rep)); 
((T,T,F,F,T,F,T) , (MF3_u6 rep)); 
((T,T,F,F,T,T,F), (NOOP rep)); 
((T,T,F,F,T,T,T), (NOOP rep)); 
((T,T,F,T,F,F,F),(N00P rep)); 
((T,T ( F,T,F,F,T),(N00P rep)); 
((T,T,F,T,F,T,F), (NOOP rep)); 
(CT,T,F,T,F,T,T), (NOOP rep)); 
((T,T,F,T,T,F,F),(N00P rep)); 
((T,T,F,T,T,F,T), (NOOP rep)); 
((T,T,F > T > T > T,F),(N00P rep)); 
((T,T,F,T,T,T,T),(NQOP rep)); 
((T,T,T,F,F,F,F),(N00P rep)); 
((T,T,T,F,F,F,T) , (NOOP rep)); 
((T,T,T,F,F,T,F),(N00P rep)); 
((T,T,T,F,F,T,T), (NOOP rep)); 
((T,T,T,F,T,F,F) ,(N00P rep)); 
((T ( T,T,F,T,F,T) ,(N00P rep)); 
((T,T,T,F,T,T,F),(N00P rep)); 
((T,T,T,F,T,T,T), (NOOP rep)); 
((T,T,T,T,F,F,F), (HOOP rep)); 
((T,T,T,T,F,F,T), (NOOP rep)); 
((T.T.T.T.F.T.F), (NOOP rep)); 
((T,T,T,T,F,T,T), (NOOP rep)); 
((T,T,T,T,T,F,F), (NOOP rep)); 


(<T f T,T,T,T,F,T),(NOOP rep)); 

((T,T,T,T,T,T,F),(NOOP rep)); 

((T,T,T,T,T,T,T), (NOOP rep))]" 

);; 

X 

Select MPC from state. This is used to instantiate gen.I.th. 

x 

let GetMPC = new.def init ion 
(‘ GetMPC ‘ , 

M I (regs: (*wordn)list) (m ins din dout:*wordn) (ram: *memory) 

(b stop ovl:bool) (mar :* address) (res:*wordn) (mpc:bt7) 

(reset :bool) . 

GetMPC (regs, m, ins .din.dout , ram, b, stop, ovl.mar, res, npc) (reset) = mpc" 

);; 



Give t of phase level cycles for each microinstruction 

X 

let PhaseCycles = nes_def inition 
( * PhaseCycles < , 

"!key:bt7. PhaseCycles key = 3 *' 

);; 

close.theoryO ; ; 
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%■ 


Pile: micro_aux.ml 

Description: Defines the micro level interpreter in terms of the 

definitions in micro.def . th, phase. th, and gen.I.th. 

Proves the lemmas for each microinstruction and 
saves them. 

Modified by ETS to include AXY.WRITE and CK_VAL_PC 


x 

set_search_path (search_path() 0 lib.dir.list ) ; ; 
loadf ' abstract * ; ; 

L this definition isn’t in abstract yet % 
let TAC_PR00F : (goal # tactic) -> thm = 
set_f ail_pref ix ‘TAC_PR00F‘ 

(\(g, tac) . 

let new_g * ((fst g) <8 theory_obligat ion_list , snd g) in 
let gl,p = tac new.g in 
if null gl then p[] 
else ( 

message (‘Unsolved goals:'); 
map print^goal gl ; 
print .newline () ; 
failwith ‘unsolved goals'));; 

system '/bin/rm micro.aux . th‘ ; ; 

new_theory ‘micro.aux ‘ ; ; 

X 

ext end., theory ‘micro_aux * ; ; 

% 

loadf 'tuple';; 

map new.parent C‘gen.1 ‘ ; ‘ micro. def ‘ ; 'phase ‘ ; ‘uinst ‘ ; 'threeval'] ; ; 
autoload.. theory ‘ucode_def 1 ; ; 
load_def ini t ions ' threeval ' ; ; 
load_theorems * threeval ‘ ; ; 


X 

From micro^def 
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7 . 


let load.micro.inst = (\x. theorem ‘micro.def 1 x> ; ; 

let instructions = map load_micro_inst 

['FETCH.ul' ; ‘FETCH_u2‘ ; ‘FETCH_u3‘ ; ‘FETCH_u4‘ ; 

‘ JMP.reqm' ; ‘JMP.opc' ; ‘N00P‘ ; 'SHRS.ul' ; 
'SHRB.ul' ; * SHLB.ul 1 ; ‘AXY_WRITE‘ ; ‘SHLS.ul'; 
'NO.OVL' ; ‘NOOP' ; ‘AXY.WRITE 1 ; ‘SHRS_u2‘ 

‘ NOOP ‘ ; ‘AXY.WRITE 1 ; ‘SHRB_u2‘ ; ‘N00P‘ ; 

‘AXY.WRITE* ; ‘SHLB_u2‘ ; ‘N00P‘ ; ‘MFO.ul 1 ; 
‘MFl.ul ‘ ; 

‘MF2_ul ‘ ; ‘MF3_ul ‘ ; ‘MF3_u2‘ ; ‘FETCH.u3‘ : 

‘MF3_u4‘ ; ‘MF3_u5‘ ; ‘MF3_u6wl‘ ; ‘MF3_ulw4‘ ; 

‘MF3_u6‘ ; 'HF3_u4‘ ; ‘MF3_u5w3‘ ; ‘MF3_u6‘ ; 

‘HF3_ul ‘ ; "MF2_u3‘ ; ‘FETCH_u3‘ ; ‘MF3_u4‘ ; 

‘ MF3_u5 ‘ ; ‘MF3_u6‘ ; ‘ COMPARE.ul ‘ ; ‘ WRITEMEM.ul' ; 
‘WRITEIO.ul ‘ ; ‘NEG.ul' ; ‘CALL.ul 1 ; ‘READIO.ul' ; 

‘ READHEM.ul ‘ ; 1 ADDB.ul ‘ ; ‘ADDS.ul* ; ‘SUBB.ul' ; 
‘SUBS.ul' ; ‘XOR.ul' ; ‘AND.ul' ; ‘NOR.ul 1 ; 

‘ ANDMBAR.ul ‘ ; ‘N00P‘ ; ‘C0MPARE.u2‘ ; ‘NOOP‘ ; 
‘WRITEMEM_u2‘ ; ‘NOOP‘ ; ‘WRITEI0_u2‘ ; ‘NOOP‘ ; 

‘ AXY.WRITE* ; 'NEGATE_u2‘ ;‘N00P‘ ; ‘CALL_u2‘ ; 

‘ CALL_u3 ‘ ; ‘FETCH_u3‘ ; ‘NOOP‘ ; ‘READI0_u2‘ ; 
‘MF3_u5‘ ; ‘READI0_u4‘ ; ‘NOOP‘ ; ‘ READMEH_u2 ‘ ; 

‘ CK.VALID.PC ‘ ; ‘NOOP' ; ‘ADDB_u2‘ ; ‘NOOP‘ ; 
*ADDS_u2‘ ; ‘CK.VALID.PC'; ‘NO.OVL 1 ; ‘NOOP‘ ; 

‘ SUBB_u2‘ ; 

* NOOP ‘ ; ‘ SUBS_u2‘ ; ‘CK.VALID.PC 1 ; ‘NO.OVL' ; 

‘ NOOP ‘ ; 

‘X0R_u2‘ ; ‘ NOOP ‘ ; ‘AND_u2‘ ; ‘N00P‘ ; 

‘ N0R_u2 ‘ ; ‘ NOOP ‘ ; ‘sait_4‘ ; ‘»ait_3‘ ; 

‘oait_2‘ ; ‘oait.l 1 ; ‘MF3_u6‘ ; ‘NOOP‘ ; 

‘ NOOP ‘ ; ‘NOOP‘ ; ‘NOOP' ; ‘NOOP‘ ; 

‘ NOOP ‘ ; ‘NOOP’ ; ‘NOOP‘ ; ‘NOOP‘ ; 

‘ NOOP ‘ ; 'NOOP' ; ‘NOOP‘ ; ‘NOOP‘ ; 

‘ NOOP ‘ : ‘ NOOP ‘ ; ‘NOOP 1 ; ‘NOOP 1 ; 

1 NOOP ‘ ; ‘ NOOP ‘ ; ‘NOOP 1 ; ‘N00P‘ ; 

‘ NOOP ‘ ; ‘NOOP' ; ‘NOOP' ; ‘NOOP‘ ; 

‘NOOP* ] ; ; 


let micro. inst.list = definition ‘micro.def’ ‘micro. inst.list' ; ; 

let GetMPC = definition ‘micro.def 1 ‘GetMPC 1 ;; 

let PhaseCycles = definition ‘micro.def' ‘PhaseCycles* ; ; 

let add_bt7 = definition ‘micro.def' ‘add_bt7‘;; 
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From phase.def 


— X 

let load.phase.inst = (\x. definition ‘phase.def* x) ; ; 

let phases = map load.phase.inst 

[ ‘phase. one.def * ; ‘ phase. two.def ‘ ; ‘phase.three.def ‘ ] ; ; 

let PhaseClockBegin = definition ‘phase.def* ‘PhaseClockBegin* ; ; 

let Phase.Substate = definition ‘phase.def* ‘Phase.Substate* ; ; 

let GetPhaseClock = definition ‘phase.def* ‘ GetPhaseClock * ; ; 

let Phase_I » theorem ‘phase* ‘PHASE.I*;; 

let cond3_def = definition ‘ phase * c cond3_def ‘ ; ; 

let cond3_lemma = theorem ‘phase* * cond3. lemma* ; ; 

let micro.rom. expanded — theorem ‘uinst* * micro.rom.expanded* ; ; 

let A = definition ‘regs.def* ‘A‘;; 

let X = definition ‘regs.def' 'X‘;; 

let Y = definition ‘regs.def* C Y‘;; 

let P = definition ‘regs.def* ‘P‘;; 

X 

The representation types 



let rep.ty = abstract. type ‘aux.def* ‘opcode*;; 

let I.rep.ty = abstract.type ‘gen. I* ‘Impl‘;; 

let micro.state = M : ( (*wordn)list#*wordn#*vordn#*wordn#*wordn# 

♦memory#bool#bool#bool#*address#*wordn#bt7) " ; ; 

let micro. env * ":bool";; 

let Phase. state = 

" : (*wordn)list # *wordn # *wordn # *wordn # *wordn # *memory # bool # 
bool # bool # *address # *wordn # bt7 # ucode # (num -> ucode) # 
♦wordn # *wordn # bool # bool # bool";; 

let Phase.env * ":bool";; 

X 

Intermediate theorem needed for rewriting 
let ZERO.NEQ.SUC = theorem ‘micro.aux* 4 ZERO.NEQ.SUC ‘ ; ; 
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let ZERO.NEQ.SUC = prove_thm( 

* ZERO.NEQ.SUC 1 , 

" !n. -(0 = SUC n) " , 

GEN.TAC THEN REWRITE_TAC[REWRITE.RULE [LESS.O] 
(SPECL [ n O”; ”SUC n”] LESS.NOT.EQ)] 

);; 


X 

Define the micro level interpeter in terms of the generic 
interpreter definition. 

let Micro. I.def = definition ‘micro. aux‘ ‘ Micro. I.def ‘ ; ; 
let Micro.I * theorem ‘micro. aux‘ ‘Micro.I*;; 

let Micro.I_IMPL_IMPL.DEF = definition ‘micro.aux 1 ‘Micro_I_IMPL_IMPL_DEF‘ 

7 . 


let Micro. I.def = new.def inition 
( ‘Micro.I.def ‘ , 

M ! (rep: “rep.ty) (s : time->'micro. state) (e : time->''micro_env) . 
Micro. I rep s e « 

INTERP 

(micro. inst. list rep, 
bt7_val , 

(GetMPC: '“micro. state -> 'micro. env -> bt7) , 

(PhaseCycles :bt7->num) , 

(Phase.Substate : 'Phase. state -> “micro.state) , 

(I : "Phase.env ->'micro_env) , 

Phase.I rep, 

(GetPhaseClock: 'Phase.state -> 'Phase.env -> triple), 
PhaseClockBegin, Oxrone.F) s e n 
);; 

let Micro.I - save.thm 
( ‘Micro.I ‘ , 

ONCE.REWRITE.RULE [GetMPC] ( 

BETA. RULE ( 

EXPAND. LET.RULE 

(instantiate.abstract.def inition ‘gen. I* ‘ INTERP ‘ Micro.I.def ) ) ) 

);; 

let Micro.I.IMPL.IMPL.DEF * new.def inition 
( ‘Micro. I_IMPL_IMPL_DEF‘ , 
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•<! (rep: "rep.ty) (s : time->‘Phase_ state) (e : t ime->'Phase_env) . 
Micro.I.IMPL.IMP rep s e = 

IMPL.IMP 

(micro.inst.list rep, 
bt7_val , 

(GetMPC : ''micro.state -> “micro.env -> bt7) , 

(PhaseCycles :bt7->num) , 

(Phase. Substate : “Phase .state -> “'micro. state) , 

(I : "Phase.env ->~micro_env) , 

Phase. I rep, 

(GetPhaseClock: "Phase. state -> ‘Phase.env -> triple). 
Phased ockBegin , ®x:one.F) s e" 

);; 

let Hicro_I.IHPL.IMP = 
let Micro.I.EXT = 

CONV.RULE (TOP.DEPTH.CONV FUN.EQ.CONV) Micro. I.IMPL.IMPL.DEF in 
(REWRITE.RULE [I.THM] ( 

BETA.RULE ( 

EXPAND.LET.RULE ( 

instantiate. abstract .definition 

‘gen-I* 

‘IMPL.IMP* 

Micro.I.EXT) ) ) ) ; ; 

map (delete. cache o fst) (cached.theoriesO ) ; ; 

% 

Some ML function for the inference rules that follow. 


letrec term.list.el n 1 = ( 

let tm.hd x = rand(f st (dest.comb x)) and 
tm.tl x = snd (dest.comb x) in 
if (n = 0) then tm.hd 1 else 
term.list.el (n-1) (tm.tl 1) ) 7 
failwith ‘term.list.el* ; ; 


% 

This is insecure for right now, but it is reasonably simple. 

y. 

let EL.CONV tm = ( 

let ( (c ,n) , 1) = ( (dest_comb#I )o dest.comb) tm in 
let n.int = term.to.int n in 

mk.thm([] /'“tm = '“(term.list.el n.int 1)")) 7 
failsith 'EL.CONV*;; 
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Some other nice conversions 

x 

let is.SND.term t = 
if is.comb t then 

fst (dest. const (fst(strip.comb t))) = ‘SND‘ 
else 
false ; ; 

let SND.CONV t = 

if is.SND.term t then 

let op,pr = dest.comb t in 

let op,[tl;t2] = strip.comb pr in 

SPECL [tl;t2] ( 

INST.TYPE [( (type.of tl), 

((type. of t2) , n : **“)] SND) 

else 

failwith * SND.CONV 1 ; ; 

let TPLUS3LEMMA = TAC. PROOF 

<(□, 

M !t. (t+3) = ( ( (t + 1) + 1) + 1) M ), 

STRIP.TAC THEN 

CONV.TAC (TOP. DEPTH. CON V num.CONV) THEN 
REWRITE.TAC [ADD.CLAUSES] 

);; 

let Phase. I.SPEC * 

PURE.ONCE.REVRITE.RULE [GetPhaseClock] ( 

BETA.RULE ( 

SPECL [ M rep: “rep.ty" ; 

M (\t ■ (regs t, areg t, insreg t, din t, dout t, ram t, 

b t, stop t , ovl t, mar t, res t, mpc t, mir t, micro.rom, 
rlatch t, mlatch t, phi t,ph2 t , ph3 t) ) : time->~Phase.state n 
n (\t. (reset t ) ) : time->~Fhase_env M ] Phase.I));; 

let MK. Phase. I. Ins t .LEMMA inst - 
let clk.term = 

((inst = 1) => "stop t * T” | 

(inst = 2) => ”phl t = T n I 
(inst = 3) => M ph2 t = T M I 

n ph3 t = T") in 

let clk.lemma = 

REVRITE.RULE [] ( 

SUBS [ASSUME elk. term] ( 

SPEC "t" ( 

ASSUME 
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M !t. (stop t ==> 'phi t /\ 'ph2 t /\ -ph3 t) /\ 

(phi t = 'stop t /\ 'ph2 t /\ 'ph3 t) /\ 

(ph2 t = 'stop t /\ 'phi t A 'ph3 t) /\ 

(ph3 t = 'stop t A 'phi t A 'ph2 t)"))) in 

DISCH.ALL ( 

GEN "t" ( 

ONCE_REWRITE_RULE [] ( 

DISCH clk.term ( 

SUBS [SPECL [“rep : “rep_ty M ; 

"regs t : (*wordn)list“ ; 

M mreg t : ♦wordn" ; 

"insreg t:*wordn“ ; 

“din t:*¥ordn“; 

“dout t:*wordn“; 

“ram t : *oemory“ ; 

"b t : bool" ; 

((inst=l) => “T" j "F") ; 

"ovl t :bool" ; 

"mar t:*address M ; 

"res t:*wordn“; 

"mpc t:bt7“; 

"mir t : ucode” ; 

"micro. rom :num->ucode “ ; 

“rlatch t:*wordn M ; 

"mlatch t:*¥ordn“; 

( (inst=2) => "T“ | "F" ) ; 

( (inst=3) => “T" | “F" ) ; 

( (inst=4) => "T" | "F") ; 

“reset t:bool“] (el (inst=l => inst I (inst-1)) phases)] ( 

CONV.RULE (DEPTH.CONV SND.CONV) ( 

CONV.RULE (ONCE.DEPTH.CONV EL.CONV) ( 

REWRITE.RULE [triple. VALUE. LEMMA] (SUBS [ASSUME elk. term] ( 

REWRITE.RULE (CONJUNCTS (clk.lerama) ) ( 

SPEC.ALL ( 

SUBS [Phase.I.SPEC] ( 

ASSUME 

“Phase.I (rep: ~rep.ty) 

(\t. (regs t, mreg t, insreg t, din t, dout t, ram t, 

b t, stop t, ovl t, mar t, res t, mpc t, mir t, micro. rom, 
rlatch t, mlatch t, phi t, ph2 t, ph3 t)) 

(\t. (reset t) >")))>))))))»; ; 

let Phase.I.Inst.list = map MK.Phase. I. Inst. LEMMA [l;2;3;4];; 
let Micro. I MPL. IMP .LEMMA = 

REWRITE.RULE [GetPhaseClock ; Phase.Substate ;PhaseClockBegin;GetMPC; 
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PhaseCycles] ( 


BETA.RULE ( 

SPECL ["rep: “rep_ty" ; 

"(\t. (regs t, mreg t, insreg t, din t, dout t, ram t, 

b t, stop t, ovl t, mar t, rest^ mpc t, mir t, micro_rom, 

rlatch t, mlatch t, phi t, 

ph2 t, ph3 t)) : time->'‘Phase_state M ; 

"(\t. (reset t ) ) : time->“Phase_env M ] 

Micro_I_IMPL_IMP) ) ; ; 

let MK_IMPL_IMP_GOAL n = 

let inst * term_list_el n 
(snd(dest_eq( 

snd(dest_f orallCconcl micro_inst_list ) ) ) ) ) in 
" ! (rep: "rep_ty) (regs : t ime-> (*wordn) list ) 

(mreg insreg din dout : t ime->*wordn) (ram: time->*memory) 

(b stop ovl : time->bool) (mar : time->*address) (res : time->*vordn) 

(mpc : time->bt7) (mir : time->ucode) (rlatch mlatch: time->*wordn) 

(phi ph2 ph3:time->bool) (reset : time->bool) . 

(!t . 

(stop t *=> “phi t /\ ph2 t /\ ph3 t) /\ 

(phi t * “stop t /\ “ph2 t /\ “ph3 t) /\ 

(ph2 t = “stop t /\ "phi t /\ “ph3 t) /\ 

(ph3 t - “stop t /\ “phi t /\ “ph2 t)) ==> 

Micro_I _IMPL_IMP rep 

(\t. (regs t, mreg t, insreg t, din t, dout t, ram t, 

b t, stop t, ovl t, mar t, res t, mpc t, mir t, micro_rom, 
rlatch t, mlatch t, phi t, ph2 t, ph3 t)) 

(\t. (reset t)) "inst"; ; 

let SPEC.SELECTOR x thm = 

let inst = snd(dest_eq x) in 

let (addr , seqalu,dec ,mem,srcdst , en , sel) = 

(I # (1 # (I # (1 # (I # dest.pair))))) ( 

(I # (I ft (I ft (I ft dest^pair) ) ) ) ( 

(I ft (I ft (I ft dest_pair) ) ) ( 

(I # (I # dest_pair ) ) ( 

(I ft dest_pair) ( 

(dest.pair inst)))))) in 

let (seq,alu) = (dest.pair seqalu) in 
let (r,w,io) = 

(I ft dest_pair) ( 

(dest.pair mem)) in 

let (mrf , mdf , rfc,dlc) - 
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(I # (I # dest.pair)) ( 

(I # dest_pair) ( 

(dest.pair srcdst ) ) ) in 

let (de,re) = dest.pair en in 
let (adrs,ds,ms) = 

(I # dest.pair) ( 

(dest.pair sel)) in 

SPECL [r ; w ; i o ; dec ; r f c ; df c ; de ; r e ; adr s ; ds ; mrf ; ms ; s eq ; mdf ; alu ; addr] thm ; ; 

let SPEC.ALL. SELECTORS x = 
map (SPEC.SELECTOR x) 

[Maddr ; Seqct 1 ; Aluctl ; Dec.ctl ; R ; W ; Io ;Mrf ; Mdf ; Rf c ; Df c ; De ; Re ; Adrs ; Ds ;Ms] ; ; 

map (delete.cache o fst) (cached_theories()) ; ; 

let IMPL.IMP.TAC n = 

let inst = term.list.el n 
(snd (dest_eq( 

snd(dest_f orallCconcl micro.inst.list ) ) ) ) ) in 
let thm = el (n+1) instructions in 
let f ind.Phase.I.term tm = ( 
let ((x,y),z) = ((dest.comb t I) 

(dest.comb tm)) in 

(x = n Phase_I (rep: "rep.ty)") ) ? false in ( 

REPEAT STRIP. TAG 

THEN SUBST.TAC [SPEC inst Micro.IMPL.IMP.LEMMA] 

THEN REWRITE.TAC [thm] 

THEN SUBST.TAC [A ; X ; Y ; P] 

THEN STRIP. TAC THEN STRIP.TAC THEN STRIP.TAC 
THEN POP.ASSUM(\thm. STRIP.ASSUME.TAC (MULTI.MP 

(CONJUNCTS (SPECL [ M (ph2 t ) :bool" ; “(ph3 t) :bool H ] 
(REWRITE.RULE [cond3_def ] cond3_lemma) ) ) thm)) 

THEN COND.CASES.TAC 

THEN POP_ASSUM(\thm. ASSUME.TAC (REWRITE.RULE [] thm)) 

THENL [ 

ASSUM.LIST(\asl . ASSUME.TAC ( 

REWRITE.RULE [(el 1 asl); (el 2 asl) ; (el 3 asl)] 

(SPEC. ALL (el 6 asl)))) 

THEN ASSUM.LIST (\x. MAP. EVERY ASSUME.TAC ( 

CONJUNCTS ( 

REWRITE.RULE [PAIR.EQ] ( 

(\y . MP y (el 2 x)) ( 

SPEC "t : time” ( 

(\y . MP y (el 7 x)) ( 

MATCH.MP (el 1 Phase. I. Inst.list ) 

(hd (filter (f ind.Phase_I.term o concl) x))))))))) 
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THEN ASSUM.LIST (\x. MAP.EVERY ASSUME.TAC ( 

CONJUNCTS ( 

REWRITE.RULE [PAIR.EQ] ( 

(\y . MP y (el 11 x)) ( 

SPEC "t+1" ( 

(\y. MP y (el 25 x)) ( 

MATCH.MP (el 1 Phase.I_Inst.list) 

(hd (filter (find.Phase_I.term o concl) x)) ))))))) 
THEN ASSUM.LIST (\x. MAP.EVERY ASSUME.TAC ( 

CONJUNCTS ( 

REWRITE.RULE [PAIR.EQ] ( 

(\y . MP y (el 11 x)) ( 

SPEC ”(t+l)+l" ( 

(\y . MP y (el 43 x)) ( 

MATCH.MP (el 1 Phase.I_Inst.list) 

(hd (filter (find.Phase.I.term o concl) x)) ))))))) 
THEN PURE_0NCE_REWRITE_TAC[TPLUS3LEMMA] 

THEN ASM.REWRITE.TAC [] 

ASSUM_LIST(\asl . ASSUME.TAC ( 

REWRITE.RULE [(el 1 asl) ; (el 2 asl) ; (el 3 asl)] 
(SPEC.ALL (el 6 asl)))) 

THEN ASSUM.LIST (\x. MAP.EVERY ASSUME.TAC ( 

CONJUNCTS ( 

REWRITE.RULE [PAIR.EQ] ( 

SUBS [CONV.RULE (ONCE.DEPTH.CONV EL.CONV) ( 

SPEC ( int.to.term n) micro.rom.expanded)] ( 

CONV.RULE (ONCE.DEPTH.CONV bt7_val_C0NV) ( 

SUBS [el 5 x] ( 

(\y . MP y (el 1 x)) ( 

SPEC "t : time" ( 

(\y . MP y (el 7 x)) ( 

MATCH.MP (el 2 Phase.I_Inst.list) 

(hd (filter (find.Phase.I.term o concl) x)))))))))))) 
THEN ASSUM.LIST (\x. MAP.EVERY ASSUME.TAC ( 

CONJUNCTS ( 

REWRITE.RULE [PAIR.EQ] ( 

SUBS (SPEC .ALL. SELECTORS (concl (el 6 x))) ( 

SUBS [el 6 x] ( 

(\y . MP y (el 2 x)) ( 

SPEC "t+1" ( 

(\y . MP y (el 25 x) ) ( 

MATCH.MP (el 3 Phase.I_Inst.list) 

(hd (filter (find.Phase.I.term o concl) x)) ))))))))) 
THEN ASSUM.LIST (\x. if is.eqCconcl (el 1 x)) 



then 


( let (lhs, rhs) = dest_eq(concl(el 11 x)) in 
(ASM.CASES.TAC rhs THENL [ 

POP.ASSUM (\thm. 

(ASSUM.LIST (\x. ASSUME.TAC (REWRITE.RULE x thm))) THEN 
ASSUME.TAC thm) THEN 
ASSUM.LIST ( \x . ASSUME.TAC 

(REWRITE.RULECel 1 x] (el 13 x))) THEN 
ASSUM.LIST (\x. 

(MAP. EVERY ASSUME.TAC ( 

CONJUNCTS ( 

REWRITE.RULE [PAIR.EQ] ( 

(\y . MP y (el 1 x)) ( 

SPEC "(t+l)+l" ( 

(\y. MP y (el 46 x)) ( 

MATCH.MP (el 1 Phase.I. Inst. list) 

(hd (filter 

(f ind.Phase.I.term o concl) x)) )))))))) THEN 
PURE.ONCE_REWRITE.TAC [TPLUS3LEMMA] THEN 
ASM.REWRITE.TAC [] 

> 

POP.ASSUM (\thm . ASSUME.TAC ( REWRITE.RULE □ thm)) THEN 
POP.ASSUM (\thm. 

(ASSUM.LIST (\x. ASSUME.TAC (REWRITE.RULE x thm))) THEN 
ASSUME.TAC thm) THEN 
ASSUM.LIST (\x. ASSUME.TAC 

(REWRITE.RULECel 1 x] (el 3 x))) THEN 
ASSUM.LIST (\x. 

(MAP. EVERY ASSUME.TAC ( 

CONJUNCTS ( 

REWRITE.RULE [PAIR.EQ] ( 

SUBS (SPEC.ALL.SELECTORS (concl (el 9 x))) ( 

SUBS [el 9 x] ( 

(\y . MP y (el 1 x)) ( 

SPEC "(t+l)+l" ( 

(\y. MP y (el 46 x)) ( 

MATCH.MP (el 4 Phase. I. Inst. list) 

(hd (filter 

(f ind.Phase.I.term o concl) x)) )))))))))) THEN 
PURE_ONCE.REURITE.TAC [TPLUS3LEMMA] THEN 
if n=4 then 

(ASM.REWRITE.TAC [add. bt7] THEN 
COND.CASES.TAC 

THEN ASSUM.LIST (\asl . ASSUME.TAC ( 

ONCE. REWRITE.RULE [DE.MORGAN.THM] (el 22 asl))) 

THEN POP_ASSUM(\thm. REWRITE.TAC [thm] ) ) 
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else ASM.REVRITE.TAC [add_bt7] 

])) 

else 

(MAP.EVERY ASSUME.TAC ( 

CONJUNCTS ( 

REWRITE.RULE [PAIR.EQ] ( 

SUBS (SPEC_ALL_SELECTORS (concl (el 6 x))) ( 

SUBS [el 6 x] ( 

(\y. MP y (el 1 x)) ( 

SPEC "(t+l)+l" ( 

(\y . HP y (el 43 x)) ( 

MATCH.MP (el 4 Phase_I_Inst_list) 

(hd (filter (f ind.Phase.I.term o concl) x)) )))))))) 
THEN PURE_ONCE_REWRITE_TAC [TPLUS3LEMMA] THEN 
ASH_REWRITE_TAC [] THEN 
REWRITE_TAC[P; bt2_val ; bt3_val] THEN 
CONV.TAC (TOP.DEPTH.CONV num.CONV) THEN 

REWRITE. TAC [ZERO.NEQ.SUC ; NOT.SUC; INV.SUC.EQ; add_bt7] )) 

]);; 

let PROVE.IMPL.IMP. LEMMA n = ( 

TAC.PROOF (([], 

MK_IMPL.IMP.GOAL n) , 

IMPL.IMP.TAC n)) ; ; 

let SAVE. INST. LEMMA n = 

let name = (concat ‘INST_‘ (string.of _int n)) in 
save_thm(name ,PRQVE_IMPL_IMP_L£MMA n) ; ; 

map (delete.cache o fst) (cached.theoriesO) ; ; 

letrec mk.num.list n m = 

if n = m then [m] else 

(n . (mk.num.list (n+1) m));; 


% 

The microinstructions be proved and the resulting 
theorems sill be saved. The theorems for microinstruction n 
will be saved under the name INST.n 

X 

map SAVE. INST. LEMMA (mk.num.list 0 IS) ; ; 
map (delete.cache o fst) (cached.theoriesO);; 
map SAVE. INST. LEMMA (mk.num.list 16 31);; 
map (delete.cache o fst) (cached.theoriesO);; 
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map SAVE.INST.LEMMA (mk.num.list 32 47);; 
map (delete.cache o fst) (cached.theoriesO); 
map SAVE.INST.LEMMA (mk.num.list 48 63) ; ; 
map (delete.cache o fst) (cached.theoriesO ) ; 
map SAVE. INST. LEMMA (mk.num.list 64 79);; 
map (delete.cache o fst) (cached.theories ()) ; 
map SAVE.INST.LEMMA (mk.num.list 80 95);; 
map (delete.cache o fst) (cached.theoriesO ) ; 
map SAVE.INST.LEMMA (mk.num.list 96 111);; 
map (delete.cache o fst) (cached.theoriesO); 
map SAVE.INST.LEMMA (mk.num.list 112 127);; 
map (delete.cache o fst) (cached.theoriesO); 


close.theoryO ; ; 



* 


File: mk.micro.ml 

Description: Uses the individual correctness lemmas for each 

micro instruction from micro.aux.th to prove the 
instruction correctness lemma and complete the 
Phase to Micro level proof. 




set. sear ch.path (search.pathO $ lib.dir.list) ; ; 

loadf ‘abstract 1 ;; 


X this definition isn't in abstract yet */, 
let TAC.PROOF : (goal # tactic) -> thm = 
set.f ail .prefix ‘TAC.PROOF 4 
(\(g, tac) . 

let new.g = ((fst g) © theory.obligation.list , snd g) in 
let gl,p = tac new.g in 
if null gl then p[] 
else ( 

message (‘ Unsolved goals: ‘) ; 
map print.goal gl ; 
print .newline 0 ; 
failwith ‘unsolved goals ‘ )); ; 

system ‘ /bin/rm micro . th‘ ; ; 

new.theory ‘micro 4 ;; 

map loadf [‘tuple 4 ];; 

map new. parent [ ‘micro. aux ‘ ; ‘ threeval ‘ ; 
load.def initions ‘threeval 4 ;; 
load.theorems ‘ threeval ‘ ; ; 

map (delete. cache o fst) (cached.theoriesO ) ; ; 

let mk.inst.list n = 

letrec mk.inst.list.aux n m = 

let thm x = (theorem ‘micro.aux 4 (concat ‘INST.‘ (string.of.int x))) 
in 

if n = m then [thm m] else 
((thm n) . (mk.inst.list.aux (n+1) m)) in 
mk.inst.list.aux 0 n;; 


let inst.lemma.list * (mk.inst. list 127);; 
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let Micro.I.def = definition ‘micro.aux 4 ‘Micro. I.def ‘ ; ; 
let Micro.I = theorem ‘micro.aux 4 ‘Micro.I 4 ;; 

let Micro.I_IMPL_IMPL.DEF = definition ‘micro.aux 4 ‘Micro.I.IMPL.IMPL.DEF 4 ; ; 

let Micro. I.IMPL.IMP = 
let Micro. I.EXT = 

CONV.RULE (TOP.DEPTH.CONV FUN.EQ.CONV) Micro_I_IMPL.IMPL.DEF in 
(REWRITE.RULE [I.THM] ( 

BETA.RULE ( 

EXPAND.LET.RULE ( 
instantiate.abstract.def ini t ion 
‘gen.I 4 
< IMPL_IMP 1 
Micro.I.EXT ) ) ) ) ;; 

let micro.inst.list * definition ‘micro.def 4 ‘micro.inst.list 4 ; ; 
let micro.rom * definition ‘uinst 4 4 micro. rom‘ ; ; 
map (delete. cache o fst) (cached_theories() ) ; ; 
let Phase.Substate = definition ‘phase. def‘ 4 Phase. Substate 4 ; ; 
let GetPhaseClock = definition ‘phase.def 4 ‘GetPhaseClock 4 ;; 
let PhaseClockBegin = definition ‘phase.def 4 ‘ PhaseClockBegin 4 ; ; 
let Phase.I = theorem ‘phase 4 ‘PHASE.I 4 ;; 

7 . 

Load abstract type definitions. 

1 

let rep.ty = abstract.type ‘aux.def 4 ‘opcode 4 ;; 

let I.rep.ty = abstract.type ‘gen.I 4 ‘Impl 4 ;; 

7 . 

Define type terms for the state and env . 

y 9 

let micro. state = " : ( (♦wordn) list#*wordn#*wordn#*wordn#*wordn# 

*memory#bool#bool#bool#*address#*wordn#bt7) " ; ; 

let micro. env = M :bool M ;; 

let phase.state = 

(♦wordn) list # ♦wordn # *vordn # ♦wordn # ♦wordn # ♦memory # bool # 
bool # bool # ^address # ♦wordn # bt7 # ucode # (num -> ucode) t 
♦wordn # *wordn # bool # bool # bool";; 
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let phase. env = " :bool";; 

map (delete.cache o fst) (cached. theories( )); ; 


*/• 

Some ML function for the inference rules that follow. 

1 

letrec term.list.el n 1 = ( 

let tm.hd x = rand(f st (dest.comb x)) and 
tm.tl x = snd(dest_comb x) in 
if (n = 0) then tm.hd 1 else 
term_list_el (n-1) (tm.tl 1)) ? 
failwith ‘term.list.el 1 ;; 


% 

This is insecure for right nos, but it is reasonably simple 

% 

let EL.CONV tm = ( 

let ((c,n),l) = ( (dest_comb#I)o dest.comb) tm in 
let n.int * term.to.int n in 

mk_thm( [] , M “tm = " (term. list. el n_int 1)")) ? 
failwith ‘ EL.CONV * ; ; 


% 

The first obligation of the abstract interpreter theory 

— y. 


let Micro. I. CORRECT. LEMMA. AUX = TAC.PR00F 

(([], 

" ! (rep: “rep.ty) (regs : time->(*wordn)list) 

(mreg insreg din dout : t ime->*wordn) (ram: time“>*memory) 

(b stop ovl : time->bool) (mar : time->*address) (res : time->*wordn) 

(mpc : time->bt7) (mir : time->ucode) (urom:num->ucode) 

(rlatch mlatch: time->*wordn) (phi ph2 ph3 : time->bool) 

(reset : time->bool) . 

(!t. 

(stop t ==> "phi t /\ “ph2 t /\ “ph3 t) /\ 

(phi t * “stop t /\ “ph2 t /\ “ph3 t) /\ 

(ph2 t = “stop t /\ “phi t /\ “ph3 t) /\ 

(ph3 t = “stop t /\ “phi t A ~ph2 t)) =*> 

EVERY (Micro.I_IMPL.IMP rep 
(\t. 

(regs t,mreg t, insreg t,din t,dout t,ram t ,b t,stop t, 
ovl t,mar t, res t,mpc t,mir t , micro. rom, rlatch t,mlatch t, 
phi t ,ph2 t ,ph3 t)) 

(\t. reset t)) (micro. inst. list rep) n ), 
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REWRITE.TAC [EVERY.DEF ; micro.inst.list] 

THEN REPEAT STRIP.TAC 

THEN POP.ASSUM (\asl. MP.TAC asl) 

THENL (map MATCH.ACCEPT.TAC inst.lemma.list) 

);; 

let Micro.I.CORRECT.LEMMA = ( 

UNDISCH.ALL ( 

SPEC.ALL ( 

PURE_ONCE_REWRITE_RULE [Micro. I_IMPL_IMPL_DEF] 
Micro.I_CORRECT_LEMMA.AUX) ) ) ; ; 

save_thm( ‘Micro. I. CORRECT. LEMMA 1 ,Micro_I_CORRECT_LEMMA) ; ; 


The second obligation of the abstract interpreter theory 

let Micro.I.LENGTH.LEMMA = TAC.PROOF 

(([], 

”! mpc. bt7_val mpc < (LENGTH (micro.inst.list (rep : “rep.ty)) ) ") , 
REPEAT GEN.TAC 

THEN REURITE.TAC [micro.inst.list ;LENGTH] 

THEN STRUCT.CASES.TAC (SPEC "mpc:bt7" SEVEN.TUPLE.VALUE.LEMMA) 
THEN CONV.TAC (DEPTH.CONV bt7_val_C0NV) 

THEN CONV.TAC (TOP.DEPTH.CONV num.CONV) 

THEN REHRITE.TAC [LESS.O ; LESS.MONO.EQ] 

);; 

save_thm( ‘Micro.I.LENGTH.LEMMA' .Micro.I.LENGTH.LEMMA) ; ; 
map (delete.cache o fst) (cached.theoriesO) ; ; 


7 . 

The third obligation of the abstract interpreter theory 

x 


let Micro.I.ORDER. LEMMA = TAC.PROOF 

(([], 

" !mpc :bt7 . mpc = (FST (EL (bt7_val mpc) 

(micro.inst.list (rep: ‘rep.ty) )))") , 

REPEAT GEN.TAC 

THEN SUBST.TAC [SPEC "rep: “rep.ty" micro_.inst.list] 

THEN STRUCT.CASES.TAC (SPEC "mpc:bt7" SEVEN.TUPLE.VALUE.LEMMA) 

THEN CONV.TAC (ONCE.DEPTH.CONV bt7_val_C0NV) 

THEN CONV.TAC (ONCE.DEPTH.CONV EL.CONV) 

THEN REWRITE.TAC [] 

):: 


% 

let Micro. I .ORDER. LEMMA » mk_thm([], 

M !mpc:bt7 . ape - (FST (EL (bt7_val ape) (micro.inst.list (rep: ~rep_ty) ) ) ) M 

);; 

% 

save.tha ( ‘Micro. I. ORDER. LEMMA ‘ , Micro. I .ORDER. LEMMA) ; ; 

map (delete.cache o fst) (cached.theoriesO) ; ; 

let theorem. list = instant iate.abstract.theorems 4 gen.r 
[Micro.I.CORRECT.LEMMA ; 

Micro. I .LENGTH. LEMMA ; 

Micro.I.ORDER.LEMMA] 

[ 

( n rep: ~I.rep.ty“ , 

"(micro.inst.list (rep: ~rep_ty) , 
bt7.val , 

GetMPC : ~micro.state->“micro.env->bt7 , 

Phase. Substate : 'phase. state->'micro_state , 

(I : ~phase_env->“micro.env) , 

Phase.I rep, 

GetPhaseClock: ' phase. state->'phase.env->triple , 

PhaseClockBegin : triple , Cx : one . F) " ) ; 

("e * :time’->*env ,n , 

"(\t:tiae. (reset t) :bool) ") ; 

( M s ’ :time->*state , " , 

"(\t. ( regs t, mreg t, insreg t, din t, dout t, ram t, 
b t, stop t, ovl t, mar t, res t, mpe t, 
mir t, uroa, rlatch t, mlatch t, phi t, 
ph2 t, ph3 t)) :time->~phase_state") 

] 

‘MICRO 1 ; ; 

let correct. lemma = snd(hd theorem. list) ; ; 

let PHASE. IMP L.MICRO. LEMMA = save.thm 
( ‘ PHASE .IMP L.MICRO. LEMMA ‘ , 

BETA. RULE ( 

EXPAND.LET.RULE ( 

ONCE.REtfRITE.RULE [Phase. Substate ; I.THM; GetPhaseClock ;PhaseClockBegin] ( 
BETA.RULE ( 

ONCE.REWRITE.RULE [SYM.RULE Micro.I.def] correc t. lemma) )) ) 

);; 

close.theoryO ; ; 
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Appendix F: MICROCODE 


For All Instructions 


Cycle 

uCode 

uLoc 

Comment 

t 

fetch_u 1 

0 

fetch macro instruction 

t + 1 

fetch_u2 

1 

increment pc 

t 4- 2 

fetch_u3 

2 

invalid address (> 20 bits)? 

t + 3 

fetch.u4 

3 

ir <— macro instruction 

t + 4 

jmp_reqm 4 

require memory? 

If no memory fetch is required 

t 5 

jmp.opc 

5 

jump to noop+instruction number 


If a memory fetch is required 


Addressing mode: IMMEDIATE 


Cycle 

uCode 

uLoc 

Comment 

t + 5 

MFO.ul 

23 

jump to immediate addr mode fetch 

t + 6 

MF3_ulw4 

32 

jump to wait 4 

* + 7 

wait4 

97 

idle 

t + 8 

wait 3 

98 

idle 

t + 9 

wait 2 

99 

idle 

t+ 10 

waitl 

100 

idle 

/ + 11 

MF3.u6 

101 

jump to base+instruction number 
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Addressing mode: INDIRECT 

Cycle 

uCode 

uLoc Comment 

t + 5 

MFl.ul 

24 

jump to indirect addr mode fetch 

t + 6 

MF3-u4 

34 

get word from memory 

t + 7 

MF3_u5w3 35 

read word into m and jump to wait 3 

t + 8 

wait 3 

98 

idle 

t ' 4“ 9 

wait2 

99 

idle 

t + 10 

waitl 

100 

idle 

t + 1 1 

MF3.u6 

101 

jump to base+instruction number 


Addressing mode: INDEXED with x 

Cycle 

uCode 

uLoc 

Comment 

t + 5 

MF2_ul 

25 

jump to indexed-x addr mode fetch 

t -I - 6 

MF3.ul 

37 

m instruction operand 

t+ 7 

MF2.u2 

38 

addr m + x 

t 8 

fetch_u3 

39 

invalid address (> 20 bits)? 

t -f- 9 

MF3,u4 

40 

get word from memory 

t + 10 

MF3.u5 

41 

read word into m 

t + 11 

MF3_u6 

42 

jump to base+instruction number 


Addressing mode: INDEXED with y 

Cycle 

uCode 

uLoc Comment 

t “I - 5 

MF3.ul 

26 

m instruction operand 

t + 6 

MF3.u2 

27 

addr — m + y 

t+7 

fetch_u3 

28 

invalid address (> 20 bits)? 

t “(■ 8 

MF3_u4 

29 

get word from memory 

* + 9 

MF3.u5 

30 

read word into m 

t + 10 

MF3_u6wl 31 

jump to wait_0 (MF3_u6) 

t 1 1 

MF3.u6 

101 

jump to base+instruction number 
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Individual Instructions 


Instruction: NOOP # 0 
Cycle uCode uLoc Comment 

t + 6 NOOP 6 jump to fetch next macro instruction 




Instruction: SHRS # 1 

Cycle 

uCode 

uLoc 

Comment 

t + 6 

SHRS.ul 

7 

jump to shrs code 

t + 7 

AXY.WRITE 

14 

destination must be register A, X or Y 

t + 8 

SHRS.u2 

15 

shr operation 

t -(“ 9 

NOOP 

16 

jump to fetch next macro instruction 



Instruction: SHRB # 2 

Cycle 

uCode 

uLoc 

Comment 

t + 6 

SHRB.ul 

8 

jump to shrb code 

t + 7 

AXY.WRITE 

17 

destination must be register A, X or Y 

t + 8 

SHRB.u2 

18 

shrb operation 

t + 9 

NOOP 

19 

jump to fetch next macro instruction 



Instruction: SHLB # 3 

Cycle 

uCode 

uLoc 

Comment 

t H- 6 

SHLB.ul 

9 

jump to shlb code 

t+7 

AXY.WRITE 

20 

destination must be register A, X or Y 

t + 8 

SHLB.u2 

21 

shlb operation 

t + 9 

NOOP 

22 

jump to fetch next macro instruction 



Instruction: SHLS # 4 

Cycle 

uCode 

uLoc 

Comment 

t -I- 6 

AXY.WRITE 

10 

destination must be register A, X or Y 

t + 7 

SHLS.ul 

11 

shls operation 

t -|- 8 

NO.OVL 

12 

result must not overflow 

t + 9 

NOOP 

13 

jump to fetch next macro instruction 
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Instruction: CMP # 5 


Cycle 

uCode 

uLoc 

Comment 

< + 12 

COMPARE.ul 

43 

jump to compare code 

< + 13 

bcmp 

59 

compare operation 

< + 14 

NOOP 

60 

jump to fetch next macro instruction 


Instruction: WRITEM # 6 


Cycle 

uCode 

uLoc 

Comment 

< 4" 12 

writemem.ul 

44 

jump to writem code 

< 4" 13 

writemem_u2 

61 

write r to address 

<+14 

NOOP 

62 

jump to fetch next macro instruction 


Instruction: 

WRITEIO # 7 

Cycle 

uCode uLoc Comment 

< + 12 

writeio_ul 45 

jump to writeio code 

< + 13 

writeio_u2 63 

write r to address 

<+14 

NOOP 64 

jump to fetch next macro instruction 



Instruction: NEG # 8 

Cycle 

uCode 

uLoc 

Comment 

<+ 12 

NEG.ul 

46 

jump to neg code 

<+ 13 

AXY.WRTTE 

65 

destination must be register A,X or Y 

t + 14 

NEG.u2 

66 


< + 15 

NOOP 

67 

jump to fetch next macro instruction 


Instruction: CALL # 9 


Cycle 

uCode 

uLoc 

Comment 

<+12 

call.ul 

47 


< + 13 

call_u2 

68 


<+ 14 

call.u3 

69 


<+ 15 

fetch_u3 

70 


< + 16 

NOOP 

71 

jump to fetch next macro instruction 
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Instruction: READIO # 10 

Cycle 

uCode 

uLoc 

Comment 

t + 12 

readio.ul 

48 


t + 13 

readio_u2 

72 


t + 14 

mf3oi5 

73 


t -|- 15 

readio.u4 

74 


t + 16 

NOOP 

75 

jump to fetch next macro instruction 



Instruction: READM #11 

Cycle 

uCode 


uLoc Comment 

t + 12 

readmem.ul 

49 

t + 13 

readio«u4 


76 

t + 14 

CK-VALID.PC 

77 

t + 15 

NOOP 


78 jump to fetch next macro instruction 



Instruction: ADDB # 12 

Cycle 

uCode 

uLoc 

Comment 

t -f- 12 

ADDB.ul 

50 


t + 13 

ADDB.u2 

79 


t + 14 

NOOP 

80 

jump to fetch next macro instruction 



Instruction: ADDS # 13 

Cycle 

uCode 


uLoc Comment 

t + 12 

ADDS.ul 


51 

t + 13 

ADDS.u2 


81 

* + 14 

CK.VALID.PC 

82 

t + 15 

NO.OVL 


83 

t + 16 

NOOP 


84 jump to fetch next macro instruction 



Instruction: SUBB # 14 

Cycle 

uCode 

uLoc 

Comment 

t “f* 12 

SUBB.ul 

52 


f + 13 

SUBB.u2 

85 


t + 14 

NOOP 

86 

jump to fetch next macro instruction 
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Instruction: SUBS # 15 


Cycle 

uCode 


uLoc Comment 

t -f- 12 

SUBS-ul 


53 

t + 13 

SUBS-u2 


87 

t+ 14 

CK.VALID.PC 

88 

<+15 

NO.OVL 


89 

t + 16 

NOOP 


90 jump to fetch next macro instruction 



Instruction: XOR # 16 

Cycle 

uCode 

uLoc 

Comment 

t + 12 

XOR.ul 

54 


t + 13 

XOR.u2 

91 


t + 14 

NOOP 

92 

jump to fetch next macro instruction 



Instruction: AND # 17 

Cycle 

uCode 

uLoc 

Comment 

t - 12 

AND.ul 

55 


<+ 13 

AND.u2 

93 


< + 14 

NOOP 

94 

jump to fetch next macro instruction 



Instruction: NOR # 18 

Cycle 

uCode 

uLoc 

Comment 

t + 12 

NOR.ul 

56 


i + 13 

NOR.u2 

95 


< + 14 

NOOP 

96 

jump to fetch next macro instruction 


Instruction: ANDMBAR # 19 


Cycle 

uCode 

uLoc 

Comment 

t+ 12 

ANDMBAR-ul 

57 


t “f- 13 

NOOP 

58 

jump to fetch next macro instruction 
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Appendix G: SAMPLE MACRO TO MICRO LEVEL PROOF 


let SHIFT.SYMB_EXEC1.TAC = 

NORMAL.SYMB.EXEC 4 T4 THEN DELETE_USTEP_TAC 3 
THEN NORMAL.SYMB.EXEC 5 T5 THEN DELETE.USTEP.TAC 4 
THEN NORMAL_SYMB_EXEC 6 T6 THEN DELETE.USTEP.TAC 5 
THEN JMPOPC.POP.ASSUM.TAC 

THEN NEXT_SYMB.EXEC.TAC 7 THEN DELETE.USTEP.TAC 6 
THEN ASM.CASES.TAC AXY.DSF.CASES 

THEN POP_ASSUM(\thm. ASSUME.TAC (REWRITE.RULE [DE.MORGAN.THM] thm ));; 

let SHIFT.BAD_DEST.TAC = 

ASSUM_LIST(\asl . ASSUME.TAC( 

REWRITE.RULE (CONJUNCTS (el 1 asl)) DSF.CASES) ) 

THEN ASSUM_LIST(\asl. 

IMP.RES.TAC (el (mpc.f rom.thm (el 3 asl)+l) Micro.Int.Inst.list) ) 

THEN ASSUM.LIST (\asl. POP_ASSUM(\thm. POP_ASSUM(\thml . 

MAP.EVERY ASSUME.TAC ( (CONJUNCTS (REWRITE.RULE 
([PAIR_EQ;T8] 8 (subtract asl [thm])) thm) ))))) 

THEN DELETE.USTEP.TAC 7 

X The processor is nos stopped due to an addressing exception X 
X specialize and rewrite stop.thm show nothing will change X 
THEN ASSUM_LIST(\asl. 

let curTime = (term.to.int 

(rand(rand(fst( dest_eq(snd(dest_thm(el 1 asl))))))) ) in 
let endTime = 

(term.to.int (snd(dest_eq(snd(dest_thm (el 17 asl) ))))) in 
ASSUME.TAC ( REWRITE.RULE [ (el 1 asl); (el 5 asl) ; (el 21 asl); 

(sumTHM curTime (endTime-curTime) ) ] 

(SPECL [(int.to.term (endTime - curTime )); (t.plus.term curTime)] 
stop.thm) ) ) 

THEN ASSUM.LIST (\asl . POP_ASSUM(\thm. 

MAP.EVERY ASSUME.TAC ( (CONJUNCTS (REWRITE.RULE 
([PAIR.EQ] 8 (subtract asl [thm])) thm) )))) 

THEN DELETE.USTEP.TAC 8 
THEN ASM.REWRITE.TAC [PAIR.EQ] 

THEN REWRITE.TAC [update.reg; PAIR.EQ ; EL.SET.EL] ; ; 
let SHIFT.G00D_DEST.TAC1 = 

ASSUM_LIST(\asl. ASSUME_TAC( REWRITE.RULE [(el 1 asl)] AXY.IMP1 )) 

THEN ASSUM_LIST(\asl . 

IMP.RES.TAC (el (mpc.f rom.thm (el 3 asl)+l) Micro.Int.Inst.list)) 

THEN ASSUM.LIST (\asl. POP_ASSUM(\thm . P0P_ASSUM(\thml . 

MAP.EVERY ASSUME.TAC ( (CONJUNCTS (REWRITE.RULE 
( [PAIR.EQ ;T8] 8 (subtract asl [thm])) thm) ))))) 



THEN NORMAL.POP.ASSUM.TAC 
THEN DELETE.USTEP.TAC 7 

THEN NEXT.SYMB.EXEC.TAC 9 THEN DELETE.USTEP.TAC 8 
THEN NEXT.SYMB.EXEC.TAC 10 THEN DELETE.USTEP.TAC 9 


let SHIFT_G00D_DEST_TAC2 = 

ASSUM_LIST(\asl . DISJ_CASES_TAC (el 14 asl) ) 
THENL 

[ 

EXPAND.REG.TAC 

THEN ASH.REWRITE.TAC [PAIR.EQ ;EL_SET_EL] 
THEN INDEPENDENCE.TAC INDEP.A.UPDATE1- 

I 

POP_ASSUM(\thm. DIS J_CASES_TAC thm) 

THEN EXPAND.REG.TAC 

THEN ASM.REWRITE.TAC [PAIR_EQ;EL_SET_EL] 
THENL 

[ INDEPENDENCE.TAC INDEP_X_UPDATE1 ; 
INDEPENDENCES AC INDEP_Y_UPDATE1 ] 

] 

THEN ASH_REURITE_TAC [] ; ; 


let SHIFTB_GOOD_DEST_TAC = 

ASSUM.LIST (\asl . DIS J_CASES_TAC (el 14 asl) ) 
THENL 

[ EXPAND.REG.TAC 
THEN EXPAND.B.TAC 

THEN ASH.REWRITE.TAC [PAIR.EQ ; EL.SET.EL] 
THEN INDEPENDENCE.TAC INDEP.A.UPDATEl 

POP_ASSUM(\thm. DISJ.CASES.TAC thm) 

THEN EXPAND.REG.TAC 
THEN EXPAND.B.TAC 

THEN ASH.REWRITE.TAC [PAIR.EQ ; EL.SET.EL] 
THENL 

[ INDEPENDENCE.TAC INDEP.X.UPDATEl ; 
INDEPENDENCE.TAC INDEP.Y.UPDATEl 

] 

] 

THEN ASM.REWRITE.TAC [] ;; 
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X 

max_print_depth 9;; 

set_f lag( < print_asl_list * , true) ; ; 

set_f lag( ‘print_asl_list 4 .false) ; ; 

asl_print_list := [1] ; ; 

asl_print_list := [3 ; 2 ; 1] ; ; 

pi;; 

set.flagC'print.asl* .false) ; ; 

set_f lag( ‘print_gl ‘ .false) ; ; 

set_f lag( *print_gl * .true) ; ; 

set_f lagOshow.types* .false) ; ; 

f st (dest_eq(snd(dest jthaCSPECl JEL_COND.THM) ) ) ) ; ; 

loadf 1 /usr/csgrad/ schubert /bin/ init * ; ; 


7 . 


max_print_depth 9 ; ; 

system ‘ /bin/rm new.shift . th* ; ; 

new.theory ‘new_shift ‘ ; ; 

loadf ‘goals.ml*;; 

loadf ‘ stack . ml * ; ; 

set_search_path (search_path() C [ ‘ ./theories/ * ; ]);; 

X loadf t . ./vinst/inst.aux .ml ‘ ; ; % 

loadf 1 . ./vinst/mk^mac .ml ‘ ; ; 
loadf ‘ . . /vinst/new_inst_aux . ml ‘ ; ; 
loadf ‘ . . /vinst/new_shif t_aux .ml ‘ ; ; 

map (delete_cache o fst) (cached.theoriesO ) ; ; 


X 

from oxalis: 

Run time: 2719.9s 

Run time: 880.2s 

Run time: 979.8s 

Run time: 1177.5s 
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Run time: 14550.3s (combined steps) 


first time on chug jug: 

Run time: 1838.6s 
Run time: 632.8s 
Run time: 707.8s 
Run time : 952 . Is 
Run time: 786.5s 
missing last step 

Second time with improved last step: 

Runtime: 1997.1s Intermediate theorems generated: 73834 

Run time: 652.6s Intermediate theorems generated: 20909 

Run time: 748.7s Intermediate theorems generated: 28525 

Run time: 1011.2s Intermediate theorems generated: 26480 

Run time: 804.8s Intermediate theorems generated: 29003 

Run time: 4029.7s Intermediate theorems generated: 115876 

9244. ls/154 .07m/2. 6h thms generated 294627 32thms/sec 


PROVE SHE instruction 
On American: 

Run time: 915.7s Intermediate theorems generated: 67117 

Run time: 93.9s Intermediate theorems generated: 3905 

Run time: 395.8s Intermediate theorems generated: 28853 

Run time: 379.9s Intermediate theorems generated: 23540 

Run time: 419.4s Intermediate theorems generated: 29521 

Run time: 1528.5s Intermediate theorems generated: 95274 

Run time: 3337 .4s/55. 6m thms generated: 248210 74thms/sec 

Run time: 3259.9s Intermediate theorems generated: 248202 

% 

map (delete_cache o fst) (cached.theoriesO ) ; ; 
g( MK_INST_CORRECT_G0AL 1 );; 

e( FETCH.INST.TAC 1 

THEN REWRITE _TAC [wr it e_reg_expanded; load.r .expanded] 

THEN SHIFT_SYMB_EXECljrAC 
THENL 

[ SHIFT_BAD_DEST_TAC 
; SH I FT_G OOD.DEST.TAC 1 
THEN SHIFT_GOODJ)ESTJTAC2 

] 
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PROVE SHRB instruction 




On American: 

Run time: 979.2s Intermediate theorems generated: 69555 

Run time: 98.4s Intermediate theorems generated: 5828 

Run time: 377.9s Intermediate theorems generated: 28853 

Run time: 453.2s Intermediate theorems generated: 31757 

Run time: 1840,6s Intermediate theorems generated: 114624 

Run time: 3749.3s/62.5m thms generated 250617 67thms/sec 



map (delete_cache o fst) (cached.theoriesQ ) ; ; 
g( MK_INST_C0RRECT_G0AL 2 );; 

e ( FETCH_INST_TAC 2 

THEN REWRITE_TAC [write_reg_expanded; load_r_expanded] 

THEN SHIFT_SYMB.EXEC1.TAC 
THENL 

[ SHIFT_BAD_DEST_TAC 
; SHIFT_G00D_DEST_TAC1 
THEN SHIFTB_G00D_DEST_TAC 

] 

);; 

7 . 

PROVE SHLB instruction 

Run time: 1453.2s Intermediate theorems generated: 103886 

Run time: 406.9s Intermediate theorems generated: 25436 

Run time: 2253.6s Intermediate theorems generated: 146380 

Run time: 4113. 7/68. 7m thms generated 275702 67thms/sec 



map (delete.cache o fst) (cached.theor iesO) ; ; 

g( MK_INST_C0RRECT_G0AL 3 );; 

e( FETCH.INST.TAC 3 

THEN REWRITE_TAC [srrite_reg_expanded; load_r_expanded] 

THEN SHIFT_SYMB_EXECl_TAe 
THENL 

[ SHIFT_BAD_DEST_TAC 
; SHIFT_G00D_DEST_TAC1 
THEN SHIFTB_G00D_DEST_TAC 
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] 




% 

PROVE SHL instruction 

The microcode for this instruction is different than the other 
shift instructions and so, requires specialization of the tactics 


Run time: 1484.8s 
Run time : 457 . 5s 
Run time : 568 . Is 


Intermediate theorems generated: 106432 
Intermediate theorems generated: 28460 
Intermediate theorems generated: 40518 


attempt 2: 

Run time: 1205.8s 
Run time : 374 . Is 
Run time: 550.9s 
Run time: 1893.9s 
Run time: 24.2s 
Run time: 33.1s 
Run time : 78.3s 
Run time: 1972.3s 


Intermediate theorems generated: 98349 
Intermediate theorems generated: 24716 
Intermediate theorems generated: 40518 
Intermediate theorems generated: 130991 
Intermediate theorems generated: 706 
Intermediate theorems generated: 706 
Intermediate theorems generated: 838 
Intermediate theorems generated: 136632 


7 . 


map (delete.cache o fst) (cached.theoriesO ) ; ; 
g( MK_INST.C0RRECT.G0AL 4 ) ; ; 

e( FETCH.INST.TAC 4 

THEN REWRITE.TAC [writ e.reg.expanded ; load.r. expanded] 

THEN NORMAL.SYMB.EXEC 4 T4 THEN DELETE JJSTEP.TAC 3 
THEN NORMAL.SYMB.EXEC 5 T5 THEN DELETE.USTEP.TAC 4 
THEN NORMAL.SYMB.EXEC 6 T6 THEN DELETE.USTEP.TAC 5 
THEN JMP0PC.P0P.ASSUM.TAC 
THEN ASM.CASES.TAC AXY.DSF.CASES 

THEN P0P_ASSUM(\thm. ASSUME.TAC (REWRITE.RULE [DE.M0RGAN.THM] thm )) 

);; 

7, variation on SHIFT.BAD_DEST.TAC % 
e( ASSUM_LIST(\asl. ASSUME.TACC 

REWRITE.RULE (CON JUNCTS(el 1 asl)) DSF.CASES)) 

THEN ASSUM.LIST (\asl . 

IMP.RES.TAC (el (mpc.f rom.thm (el 3 asl)+l) Micro.Int.Inst.list) ) 
THEN ASSUM.LIST (\asl. POP.ASSUM(\thm. P0P.ASSUM(\thml . 

MAP.EVERY ASSUME.TAC ( (C0NJUNCTS (REWRITE.RULE 
( [PAIR_EQ;T7] t (subtract asl [thm])) thm) ))))) 

THEN DELETE.USTEP.TAC 6 
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7 , The processor is noo stopped due to an addressing exception 7 , 

7 > specialize and rewrite stop.thm show nothing will change 7. 

THEN ASSUM.LIST(\asl. 

let curTime = (term.to.int 

(rand(rand(f st ( dest_eq(snd(dest_thm(el 1 asl))))))) ) in 
let endTime = 

(term.to.int (snd(dest_eq(snd(dest_thm (el 17 asl) ))))) in 
ASSUME.TAC ( REWRITE.RULE [ (el 1 asl); (el 5 asl) ; (el 21 asl); 

(sumTHM curTime (endTime-curTime) ) ] 

(SPECL [ (int.to.term (endTime - curTime )); (t.plus.term curTime)] 
stop_thm) ) ) 

THEN ASSUM.LIST (\asl. POP_ASSUM(\thm. 

MAP.EVERY ASSUME.TAC ( (CONJUNCTS (REWRITE.RULE 
([PAIR.EQ] C (subtract asl[thm])) thm) )))) 

THEN DELETE.USTEP.TAC 7 

THEN 7 % rewrite with address case 7 * 

ASSUM_LIST(\asl . REWRITE.TAC (CONJUNCTS (el 15 asl))) 

THEN ASM.REWRITE.TAC [PAIR.EQ] 

THEN REWRITE.TAC [ELP.SET.ELP] 

); ; 

7 . modification to SHIFT.G00D_DEST.TAC1 7, 

e( ASSUM_LIST(\asl . ASSUME_TAC( REWRITE.RULE [(el 1 asl)] AXY.IMP1 )) 

THEN ASSUM_LIST(\asl . 

IMP.RES.TAC (el (mpc.f rom.thm (el 3 asl)+l) Micro. Int.Inst.list) ) 

THEN ASSUM.LIST (\asl. P0P_ASSUM(\thm . POP_ASSUM(\thml . 

MAP.EVERY ASSUME. TAC ( (CONJUNCTS (REWRITE.RULE 
( [PAIR.EQ ; T7] $ (subtract asl [thm])) thm) ))))) 

THEN N0RMAL_P0P.ASSUM.TAC 
THEN DELETE.USTEP.TAC 6 

THEN NEXT_SYMB.EXEC.TAC 8 THEN DELETE.USTEP.TAC 7 
THEN NEXT.SYMB_EXEC.TAC 9 THEN DELETE.USTEP.TAC 8 
THEN ASM.CASES.TAC 

" (bitn (rep: "rep.ty) (EL (bt2_val 
(RSF rep(fetch rep(ram (t :num) , address rep(EL p_reg(reg t)))))) 
(update_reg(reg t)(F,T,T)(b t)(add rep(EL p_reg(reg t),wordn rep !)))))" 


7 . overflow case 7. 

e( P0P.ASSUM(\thml. P0P.ASSUM(\thm2. 

(ASSUME.TAC thml ) 

THEN ASSUME.TAC ( REWRITE.RULE [thml] thm2) )) 
THEN ASSUM_LIST(\asl . 

let curTime = (term.to.int 


243 



(rand (rand (f st ( dest_eq(snd(dest_thm(el 1 asl) )))))) ) in 
let endTime = 

(term_to_int (snd(dest_eq(snd(dest_thm (el 18 asl) ))))) in 
ASSUME_TAC( REWRITE„RULE[(el 1 asl) ; (el 6 asl); (el 2 asl) ; (el 22 asl); 

(sumTHM curTime (endTime -cur Time)) ] 

(SPECL [ (int_to_term (endTime - curTime )); (t_plus_term curTime)] 
stop_thm) ) ) 

THEN ASSUM.LIST (\asl. POP_ASSUM(\thm . 

MAP. EVERY ASSUME.TAC ( (CONJUNCTS (REWRITE.RULE 
( [PAIR.EQ] « (subtract asl [thm])) thm) )))) 

THEN DELETE.USTEP.TAC 9 
7. from SHIFT.G00D_DEST.TAC2 7, 

THEN ASSUH.LIST (\asl . DISJ.CASES.TAC (el 15 asl) ) 

THENL [ EXPAND.REG.TAC 

THEN EXPAND.COND.TAC 15 1 rewrite bitn term 7. 

THEN ASM.REWRITE.TAC [PAIR.EQ ;EL_SET_EL] 

THEN INDEPENDENCE.TAC INDEP.A.UPDATEl 
» 

POP_ASSUM(\thm. DISJ.CASES.TAC thm) 

THEN EXPAND.REG.TAC 

THEN EXPAND.COND.TAC 15 

THEN ASM.REWRITE.TAC [PAIR.EQ ;EL_SET_EL] 

THENL 

[ INDEPENDENCE.TAC INDEP.X.UPDATEl ; 

INDEPENDENCE.TAC INDEP.Y.UPDATEl 

] 

] 

THEN ASM.REWRITE.TAC [] 

THEN POP_ASSUM(\thm. (ASSUM_LIST(\asl . REWRITE.TAC 
[(REWRITE.RULE ( [update.reg] ® asl) thm)] ))) 


X no overflow case 7. 


e ( POP_ASSUM(\thml. P0P_ASSUM(\thm2. 

(ASSUME.TAC thml ) 

THEN ASSUME.TAC ( REWRITE.RULE [thml] thm2) )) 
THEN NEXT.SYMB.EXEC.TAC 10 THEN DELETE.USTEP.TAC 9 
X from SHIFT.G00D_DEST.TAC2 7. 

THEN ASSUM_LIST(\asl . DISJ.CASES.TAC (el 15 asl) ) 

THENL [ EXPAND.REG.TAC 

THEN EXPAND.COND.TAC 15 7 . rewrite bitn term 7 . 

THEN ASM.REWRITE.TAC [PAIR.EQ ;EL_SET_EL] 

THEN INDEPENDENCE.TAC INDEP.A.UPDATEl 

POP_ASSUM(\thm. DISJ.CASES.TAC thm) 
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THEN EXPAND.REG.TAC 

THEN EXPAND.COND.TAC 15 

THEN ASM_REVIRITE_TAC [PAIR.EQ ;EL_SET_EL] 

THENL 

[ INDEPENDENCE.TAC INDEP.X.UPDATEl ; 
INDEPENDENCE.TAC INDEP.Y.UPDATEl 

] 

] 

THEN ASM.REWRITE.TAC [] 

THEN POP_ASSUM(\thm. ( ASSUM.LIST(\asl . REWRITE.TAC 
[(REWRITE.RULE ( [update.reg] « asl) thm)] ))) 




Appendix H: PHASE LEVEL SPECIFICATION 


*/.- 


File; def _phase .ml 

Description: Defines the behavioral description of the phase level 

interpreter. 

Modified by ETS to reflect block changes. 


■X 


set.search.path (search.pathO G lib.dir.list) ; ; 

loadf ‘abstract';; 

system ‘ /bin/rm phase.def . th‘ ; ; 

new.theory ‘phase.def ‘ ; ; 

map new.parent [ 4 aux.def 4 ; * tuple ‘ ; ‘regs.def*; ‘ucode.def*; ‘ threeval* ] ; ; 

let rep.ty * abstract.type ‘aux.def* ‘opcode*;; 

% 

Denotational descriptions of phase level instructions. 



let phase.one.def = new.def inition 
(‘phase.one.def* , 

• (rep: rep.ty) (regs : (*wordn)list) (mreg insreg din dout:*wordn) 

(ram: ^memory) (b stop ovl: bool) (mar :* address) (res:*wordn) 

(mpc :bt7) (mir:ucode) (urom :num->ucode) (rlatch mlatch :*wordn) 

(phi ph2 ph3:bool) (reset : bool ) . 

phase. one rep (regs, mreg, insreg, din, dout, ram, b, stop, ovl, mar, res, 
mpc, mir, urom, rlatch, mlatch, phi, ph2, ph3) (reset) = 
stop => (regs, mreg, insreg, din, dout, ram, b, T, ovl, mar, res, 

(F,F,F,F,F,F,F) , mir, urom, rlatch, mlatch, F, F, F) I 

(regs, mreg, insreg, din, dout, ram, b, F, ovl, mar, res, 

mpc, urom (bt7_val mpc), urom, rlatch, mlatch, F, T, F) M 

);; 

let phase.two.def * new. def inition 
( ‘phase. two.def ‘ , 

! (rep: rep.ty) (regs : (♦wordn)list ) (mreg insreg din dout:*wordn) 

(ram; *memory) (b stop ovl:bool) (mar : *address) (res:*wordn) 

(mpc : bt7) (mir:ucode) (urom :num->uc ode) (rlatch mlatch :*wordn) 


mar??!* 






PRPOEDHVG BLANK NOT FILMED 


(phi ph2 ph3:bool) (reset :bool) . 

phase.two rep (regs, mreg, insreg, din, dout , ram, b, stop, ovl, mar, res, 
mpc , mir, urom, rlatch, mlatch, phi, ph2, ph3) (reset) = 
(regs , mreg , insreg , din , 

(W mir => EL (bt2_val (Rf c mir => (Mrf mir) I RSF rep insreg) )regs I dout), 
ram,b, 

((FST(decode rep(opcode rep insreg, b)) /\ (Dec_ctl mir)) \/ 

( (Seqctl mir = (F,F,T)) 

/\ ( ( (FST(SND(decode rep(opcode rep insreg, b)))) = (F,F,T,T,F)) \/ 

( (FST(SND(decode rep(opcode rep insreg, b)))) = (F,F,T ,T,T) ) ) 

/\ ( (MSF rep insreg) = (F,F)) ) \/ 

(Seqctl mir = T,F,F) /\ ovl \/ 

(Seqctl mir = T,F,T) /\ ~valid_address rep res \/ 

(Seqctl mir = T,T,F) /\ 

( ( (DSF rep insreg = (T,T,F)) \/ (DSF rep insreg = (T,T,T))) \/ 
("(( (DSF rep insreg = (T, F ,F) ) /\ ~b) \/ 

( (DSF rep insreg = (T,F,T)) /\ b) ) /\ 

((DSF rep insreg = (F,T,T) ) \/ 

(DSF rep insreg = (T,F,F)) \/ 

(DSF rep insreg = (T,F,T))) /\ 

~valid_address rep res )) \/ 

(Seqctl mir = T,T,T) /\ 

((DSF rep insreg » (F,T,T)) \/ 

(DSF rep insreg = (T,F,F)) \/ 

(DSF rep insreg = (T,F,T)) \/ 

(DSF rep insreg = (T,T,F)) \/ 

(DSF rep insreg = (T,T,T)) )), 

ovl , 

{(R mir \/ W mir) => 

(Adrs mir => address rep insreg l 
address rep(EL p_reg regs))|mar), 
res , mpc , mir , urom , 

EL (bt2_val(Rf c mir => (Mrf mir) I RSF rep insreg)) regs, 

((Ms mir = F,F) «> mreg I 

((Ms mir = F,T) => wordn rep 1 I pad rep(address rep insreg))), 

F,F, 

* ( (FST(decode rep(opcode rep insreg, b)) /\ (Dec.ctl mir)) \/ 

((Seqctl mir = (F,F,T)) 

/\ ( ( (FST (SND (decode repCopcode rep insreg, b)))) = (F,F,T,T,F)) \/ 
( (FST (SND (decode rep(opcode rep insreg, b)))) * (F,F,T,T,T) ) ) 

/\ ((MSF rep insreg) = (F,F)) ) \/ 

(Seqctl mir * T,F,F) /\ ovl \/ 

(Seqctl mir = T, F,T) A ' valid.address rep res \/ 
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(Seqctl mir = T,T,F) /\ 

( ( (DSF rep insreg = (T,T,F)) \/ (DSF rep insreg = (T,T,T) ) ) \/ 
(*(( (DSF rep insreg = (T,F,F)) /\ *b) \/ 

( (DSF rep insreg = (T,F,T) ) /\ b) ) /\ 

((DSF rep insreg = (F,T,T) ) \/ 

(DSF rep insreg = (T,F,F>) \/ 

(DSF rep insreg = (T,F,T))) /\ 

'valid. address rep res )) \/ 

(Seqctl mir = T,T,T) /\ 

((DSF rep insreg = (F,T,T)) \/ 

(DSF rep insreg = (T , F, F) ) \/ 

(DSF rep insreg = (T,F,T) ) \/ 

(DSF rep insreg = (T,T,F) ) \/ 

(DSF rep insreg = (T ,T ,T) ) )))" 




has let definitions, takes a long time to load, so replaced 
it by HOL-expanded definition. 


let rselect = bt2_val((Rfc mir) => (Mrf mir) I RSF rep insreg) in 

let r.out = (EL rselect regs) in 

let new.dout = ((W mir) => r.out I dout) in 

let bad.res = ~ (val id.address rep res) in 

let df = (DSF rep insreg) in 

let pdest = ((df=(F ,T ,T)) \/ (df=(T,F,F)) \/ (df=(T,F,T))) in 
let skip = ( (df=(T ,F,F) ) /\ 'b) \/ ( (df =(T, F,T) ) /\ b ) in 
let bad.rdest = ( (df=(T,T,F) ) \/ (df=(T,T,T)> ) in 
let bad.dest = ( (df =(F ,T ,T) ) \/ (df=(T,F,F)) \/ (df=(T,F,T)) 
\/ (df=(T ,T,F) ) \/ (df=(T,T,T) ) ) 
in 

let seq_case4 = ((Seqctl mir) = (T , F , F) ) in 

let seq_case5 = ((Seqctl mir) = (T,F,T) ) in 

let seq_case6 = ((Seqctl mir) = (T,T,F) ) in 

let seq.case7 = ((Seqctl mir) = (T,T,T) ) in 

let msl.stop = (Cseq.case4 /\ ovl) \/ 

(seq_case5 /\ bad. res) \/ 

(seq.case6 /\ (bad.rdest \/ 

('skip /\ pdest /\ bad.res))) \/ 
(seq_case7 /\ bad.dest))) in 

let new. stop = ( ( (FST (decode rep (opcode rep insreg, b))) 

/\ (Dec.ctl mir)) 

\/ msl.stop) in 
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let adr_out = ((Adrs mir) => (address rep insreg) I 
(address rep (EL p_reg regs))) in 
let nev_mar = ( ( (R mir) \/ (W mir)) => adr_out I mar) in 
let new_rlatch = r_out in 

let new^mlatch = (((Ms mir) = (F, F) ) => mreg I 
((Ms mir) = (F,T) ) => (wordn rep 1) I 

(pad rep (address rep insreg))) in 
(regs, mreg, insreg, din, new.dout , ram,*b, new.stop, ovl, new_mar, 
res, mpc, mir, urom, new.rlatch, new.mlatch, F, F, ~new_stop) M 


let phase_three_def = new. definition 
( ‘phase_three_def ‘ , 

" ! (rep: “rep.ty) (regs : (*wordn)list ) (mreg insreg din dout:*wordn) 

(ram : *memory) (b stop ovl:bool) (mar :* address) (res:*wordn) 

(mpc :bt7) (mir:ucode) (urom :num->uc ode) (rlatch mlatch: *wordn) 

(phi ph2 ph3 :bool) (reset : bool) . 

phase_three rep (regs, mreg, insreg, din, dout , ram, b, stop, ovl, mar, res, 
mpc, mir, urom, rlatch, mlatch, phi, ph2, ph3) (reset) = 

((Re mir => 

((Dfc mir /\ ( (Mdf mir = (T,T,F) ) \/ (Mdf mir * (T,T,T) ) )) =*> 
regs I 

update_reg regs 

(Dfc mir => (Mdf mir) I DSF rep insreg) b 
( ( (Aluctl mir = F,F,F,F) \/ (Aluctl mir = F,F,T ,F) ) => 
mlatch I 

((Aluctl mir = F,F,F,T) ■> 
rlatch I 

((Aluctl mir = F,F,T,T) => 
neg rep mlatch I 

(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T) ) => 
add rep(rlatch, mlatch) I 

(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = F ,T,T,T)) => 
sub rep(rlatch, mlatch) I 
((Aluctl mir * T,F,F,F) => 
bxor rep(rlatch , mlatch) I 
((Aluctl mir = T,F,F,T) => 
band rep(rlatch, mlatch) I 
((Aluctl mir * T,F,T,F) => 
bnor rep(rlatch, mlatch) 1 
((Aluctl mir = T,F,T,T) => 
band rep(rlatch ,bnot rep mlatch) I 
((Aluctl mir = T,T,F,F) => 
shr rep rlatch I 
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( (Aluctl mir = T,T,F,T) => 
shrb rep(rlatch ,b) I 
((Aluctl mir = T,T,T,F) => 
shl rep rlatch J 

shlb rep (rlatch ,b) ))))))))))))) | 

regs) , 

(De mir => 

(Ds mir => mreg | din) I 
((He mir /\ Dfc mir /\ 

( (bt3_val(Df c mir =>(Mdf mir) I DSF rep insreg))=6)) => 
(((Aluctl mir » F,F,F,F) \/ (Aluctl mir = F 9 F>T f F)) => 
mlatch | 

((Aluctl mir = F,F,F,T) => 
rlatch | 

((Aluctl mir = F,F,T,T) => 
neg rep mlatch I 

(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T) ) *> 
add rep (rlatch, mlatch) 1 

(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = F,T,T,T)) *> 
sub rep (rlatch, mlatch) | 

((Aluctl mir = T,F,F,F) => 
bxor rep(rlatch, mlatch) | 

((Aluctl mir = T,F,F,T) => 
band rep(rlatch , mlatch) | 

((Aluctl mir = T,F,T, F) => 
bnor rep(rlatch, mlatch) j 
((Aluctl mir « T,F,T,T) => 
band rep(rlatch,bnot rep mlatch) i 
((Aluctl mir = T,T, F , F) => 
shr rep rlatch I 
((Aluctl mir = T,T,F,T) => 
shrb rep(rlatch,b) I ' 

((Aluctl mir = T,T,T,F) => 
shl rep rlatch I 

shlb rep(rl at ch,b) )))))))))))) | 

mreg) ) , 

(De mir => 

(Ds mir => din j insreg) | 

((Re mir /\ Dfc mir /\ 

( (bt3_val(Df c mir *=>(Mdf mir) | DSF rep insreg) )=7)) *> 
join rep (opcode rep insreg, address rep 
(((Aluctl mir = F,F,F,F) \/ (Aluctl mir = F,F,T,F)) => 
mlatch | 

((Aluctl mir = F,F,F,T) => 
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r latch | 

((Aluctl mir = F,F,T,T) => 
neg rep mlatch I 

(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T) ) 
add rep(rlatch, mlatch) | 

(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = F,T,T,T)) => 
sub rep(rlatch, mlatch) I 
((Aluctl mir = T,F,F,F) => 
bxor rep(rlatch, mlatch) I 
((Aluctl mir = T,F,F,T) => 
band rep (rlatch , mlatch) 1 
((Aluctl mir = T,F,T,F) => 
bnor rep(rlatch, mlatch) I 
((Aluctl mir * T,F,T,T) => 
band rep(rlatch ,bnot rep mlatch) I 
((Aluctl mir = T,T,F,F) -> 
shr rep rlatch I 
((Aluctl mir = T,T,F,T) => 
shrb rep(rlatch,b) 1 
((Aluctl mir = T,T,T»F) => 
shl rep rlatch I 

shlb rep(rlatch,b) ) ) ) )))))))))) ! 

insreg) ) , 

(R mir => (Io mir => fetchio rep(ram,mar) I fetch rep(ram ,mar) ) I din), 
dout , 

(V mir=>(Io mir=>storeio rep ( ram , mar , dout ) ! store rep(ram,mar ,dout) ) 1 ram), 
((Aluctl mir = F,F,T,F) => 
bcmp rep(rlatch, mlatch, b,FSF rep insreg) 1 
((Aluctl mir = F,T,F,F) => 
addp rep (rlatch, mlatch, add rep(rlatch, mlatch) ) I 
((Aluctl mir = F,T,T,F) => 

subp rep(rlatch , mlatch, sub rep(rlatch, mlatch) ) I 
((Aluctl mir = T,T,F,T) => 
bitO rep rlatch j 

((Aluctl mir = T,T,T,T) => bitn rep rlatch I b))))), 

F, 

(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F ,T) ) => 
aovfl rep(rlatch, mlatch, add rep(rlatch, mlatch) ) | 

(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = F,T,T,T) ) => 
sovfl rep (rlatch, mlatch, sub rep(rlatch, mlatch) ) I 
((Aluctl mir * T,T,T,F) => bitn rep rlatch I F))), 

mar , 

(((Aluctl mir = F,F,F,F) \/ (Aluctl mir = F,F ,T,F) ) => 
mlatch | 
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( (Aluctl mir = F,F,F,T) => 
rlatch I 

((Aluctl mir = F,F,T,T) => 
neg rep mlatch I 

(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T)> => 
add rep(rlatch ,mlatch) I 

(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = F,T,T,T)) => 
sub repCrlatch, mlatch) I 
((Aluctl mir = T,F,F,F) => 
bxor rep(rlatch, mlatch) I 
((Aluctl mir - T,F>F,T) => 
band rep(rlatch, mlatch) I 
((Aluctl mir = T,F,T,F) => 
bnor rep(rlatch , mlatch) I 
((Aluctl mir = T,F,T,T) => 
band rep(rlatch,bnot rep mlatch) I 
((Aluctl mir = T,T,F,F) => 
shr rep rlatch I 
((Aluctl mir * T,T,F,T) => 
shrb rep(rlatch,b) I 
((Aluctl mir = T,T,T,F) => 
shl rep rlatch j 
shlb rep(rlatch,b) )))))))))))) , 

(((Seqctl mir = F,F,T) /\ SND (SND(decode rep(opcode rep insreg,b))) \/ 
(Seqctl mir = F,T,F) \/ 

(Seqctl mir * F,T,T)) *> 

(((Seqctl mir = F,F,T) 

/\ "( ( ( (FST(SND(decode rep(opcode rep insreg, b)))) = (F,F,T,T,F)) \/ 
( (FST(SND(decode rep(opcode rep insreg, b)))) = (F,F ,T,T,T) ) ) 
/\ ( (MSF rep insreg) = (F,F))) 

/\ SKD(SND (decode rep (opcode rep insreg ,b))) 

) => 

bt7_ival ( (bt7_val(Maddr mir)) + (bt2_val(MSF rep insreg))) I 
((Seqctl mir = F,T,F) => 
bt7_ival 

( (bt7_val (Maddr mir)) + 

(bt5_val(FST(SND(decode rep(opcode rep insreg ,b) )))) ) I 
((Seqctl mir = F,T,T) => Maddr mir I (F,F,F t F,F,F,F)) )) I 
bt7_ival ( (bt7_val mpc) + 1)), 
mir ,urom, rlatch , mlatch, T, F, F)" 


'/. : 

has let definitions, takes a long time to load, so replaced 


it by HOL-expanded definition. 


let alu_caseO = ((Aluctl mir) * (F,F,F,F)) in 

let alu_casel = ((Aluctl mir) = (F,F,F,T)) in 

let alu_case2 = ((Aluctl mir) = (F,F,T,F)) in 

let alu_case3 = ((Aluctl mir) - (F,F,T,T)) in 

let alu_case4 * ((Aluctl mir) = (F,T , F,F) ) in 

let alu_case5 = ((Aluctl mir) = (F,T,F,T)) in 

let alu_case6 = ((Aluctl mir) = (F,T,T,F)) in 

let alu_case7 = ((Aluctl mir) * (F,T,T,T)) in 

let alu_case8 = ((Aluctl mir) = (T,F , F,F) ) in 

let alu_case9 = ((Aluctl mir) - (T ,F, F ,T) ) in 

let alu_caselO * ((Aluctl mir) = (T,F,T,F) ) in 

let alu_casel 1 = ((Aluctl mir) = (T,F,T,T)) in 

let alu_casel2 = ((Aluctl mir) = (T,T,F,F)) in 

let alu_casel3 = ((Aluctl mir) = (T,T,F,T)) in 

let alu_casel4 = ((Aluctl mir) = (T,T,T,F)) in 

let alu_casel5 * ((Aluctl mir) - (T,T,T,T)) in 

let sum = (add rep (rlatch, mlatch) ) in 
let diff - (sub rep (rlatch, mlatch) ) in 
let result = ( ((alu_caseO) \/ (alu_case2)) => mlatch I 

alu_casel *> rlatch I 

alu_case3 => (neg rep mlatch) 1 

(alu_case4 \/ alu_case5) => sum I 

(alu_case6 \/ alu_case7) => diff I 

alu_case8 *> (bxor rep (rlatch, mlatch)) I 

alu_case9 => (band rep (rlatch, mlatch)) ! 

alu_caselO => (bnor rep (rlatch, mlatch)) I 

alu.casell => (band rep (rlatch, bnot rep mlatch)) I 

alu_casel2 => (shr rep rlatch) I 

alu_casel3 => (shrb rep (rlatch, b>) I 

alu_casel4 => (shl rep rlatch) I 

(shlb rep (rlatch, b))) in 

let w_reg = ((Dfc mir) => (Mdf mir) I DSF rep insreg) in 
let new^regs = 

( (Re mir) *> 

(((Dfc mir) /\ ((Mdf mir = (T,T ,F) ) \/ (Mdf mir = (T,T,T)))) => 
regs I 

update.reg regs w_reg b result) I 
regs) in 

let new_mreg = 

( (De mir) => ((Ds mir) ==> mreg I din) I 

(((Re mir) /\ (Dfc mir) /\ (bt3_val(w_reg)=6) ) => 
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let new.insreg - 


result | mreg) ) in 


( (De mir) => ((Ds mir) -> din I insreg) | 

(((Re mir) /\ (Dfc mir) /\ (bt3.val(w_reg)=7) ) => 

(join rep (opcode rep insreg, address rep result)) I 
insreg) ) in 

let new.din = ((R mir) *> ((Io mir) => fetchio rep (ram, mar) I 
fetch rep (ram, mar)) ! 

din) in 

let new.ram = ((W mir) => ((Io mir) => storeio rep (ram, mar, dout) I 
store rep (ram, mar, dout)) I 
ram) in 

let new_b * (alu_case2 *> 

(bcmp rep (rlatch, mlatch, b, FSF rep insreg)) | 

alu_case4 => (addp rep (rlatch, mlatch, sum)) I 
alu_case6 => (subp rep (rlatch, mlatch, diff)) I 
alu_casel3 => (bitO rep rlatch) I 
alu_casel5 => (bitn rep .rlatch) 1 
b ) in 

let new.ovl = ((alu_case4 \/ alu_case5) => 

(aovfl rep (rlatch, mlatch, sum)) I 
(alu_case6 \/ alu_case7) => 

(sovfl rep (rlatch, mlatch, diff)) 1 
alu_casel4 => (bitn rep rlatch) I 
F) in 

let new.res ■ result in 

let seq.casel = ((Seqctl mir) = (F,F,T)) in 

let seq_case2 = ((Seqctl mir) = (F,T,F)) in 
let seq.case3 = ((Seqctl mir) = (F,T,T)) in 
let reqm * (SND(SND(decode rep (opcode rep insreg, b)))) in 
let opc * (FST(SND (decode rep (opcode rep insreg, b)))) in 
let jaddr = ((seq.casel /\ reqm) => 

(bt7_ival ((bt7_val (Maddr mir))+ (bt2_val(MSF rep insreg)))) I 
seq_case2 => 

(bt7_ival ((bt7_val (Maddr mir) )+(bt5_val opc))) I 
seq_case3 => (Maddr mir) | 

(F,F , F, F, F,F,F) ) in 

let muxmc * ((seq.casel /\ reqm) \/ seq_case2 \/ seq_case3) in 
let new.mpc = (muxmc => jaddr I bt7_ival (bt7_val mpc + D) in 

(new.regs, new.mreg, new. insreg, new. din, dout, new.ram, new.b, F, 
new.ovl , mar, new.res , new. mpc , mir, urom, rlatch, mlatch, T, F, F) M 
X 
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Selector function on phase level state for the phase level 
counter . 

1 


let GetPhaseClock = new.def inition 
( ‘GetPhaseClock* , 

" ! (regs : (♦vordn) list) (mreg insreg din dout:*wordn) 

(ram: ♦memory) (b stop ovl: bool) (mar : ♦address) (res:*wordn) 
(mpc:bt7) (mir:ucode) (urom :num->ucode) (rlatch mlatch: ♦wordn) 

(phi ph2 ph3:bool) (reset : bool ) . 

GetPhaseClock (regs, mreg, insreg, din, dout , ram, b, stop, ovl, mar, 
res, mpc , mir, urom, rlatch, mlatch, phi, ph2, ph3) (reset) = 

(ph2 => TWO | 

ph3 => THREE I 

ONE) " 

) ; i 


7 . 

Gives the number of EBM cycles to implement one phase level 
cycle . 

% 


let PhaseLevelCycles * new_def inition 
(‘PhaseLevelCycles* , 

"! t: triple. 

PhaseLevelCycles t = 1'* 

);; 

let PhaseClockBegin = nev.def inition 
( ‘ PhaseClockBegin ‘ , 
"PhaseClockBegin = ONE" 

);; 


X 

Substate the phasestate to the micro state. 

% 


let Phase.Substate * nev.def inition 
( ‘ Phase_Substate * , 

"! (regs : (♦eordn)list) (mreg insreg din dout:*wordn) 

(ram: *memory) (b stop ovl: bool) (mar : ♦address) (res: ♦wordn) 

(mpc:bt7) (mir:ucode) (urom : nura->ucode) (rlatch mlatch: ♦wordn) 

(phi ph2 ph3:bool) (reset : bool) . 

Phase_Substate (regs, mreg, insreg, din, dout, ram, b, stop, ovl, mar, 
res, mpc, mir, urom, rlatch, mlatch, phi, ph2, ph3) = 


256 


(regs , mreg, insreg,din ,dout ,ram,b,stop,ovl,mar ,res,mpc) M 

);; 

7 . 

, I’ serves as the substate filiation since the state 
of the phase level is equivalent to the phase of the EBM. 

t I i also serves as the subenv function since the set of external 
lines in the phase level is the same as the set of external 
lines in the EBM. 

x 

close_theory 0 ; ; 
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1 


File: mk.phase.ml 

Description: Defines the phase level interpreter in terms of the 

definitions in block.def . th, phase.def . th, and gen.I.th. 

Proves the lemmas meeting the theory obligations for the 
abstract theory gen.I.th and instantiates a proof of the 
phase level in terms of the EBM. 

% 

set.search.path (search.pathO C lib.dir.list ) ; ; 

loadf ‘abstract 4 ;; 

system 4 /bin/rm phase. th 4 ; ; 

new.theory * phase 4 ; ; 

map new.parent [ 4 gen_I * ; ‘phase.def ‘ ; ‘block.def 4 ] ; ; 
load.def initions 4 threeval 4 ; ; 
load. theorems 4 threeval 4 ; ; 

let time. shift = definition ‘genii' 4 time. shift 4 ; ; 

let GetPhaseClock » definition ‘phase.def 4 ‘GetPhaseClock 4 ;; 

let PhaseLevelCycles * definition ‘phase.def 4 4 PhaseLevelCycles‘ ; ; 

let phase.one.def * definition ‘phase.def 4 ‘phase.one.def 4 ;; 

let phase.tvo.def - definition 4 phase_def 4 ‘phase.two.def 4 ; ; 

let phase. three.def * definition ‘phase.def 4 ‘phase.three.def 4 ; ; 

let GetEBMClock = definition ‘block.def 4 4 GetEBMClock 4 ; ; 

let EBM.Start = definition ‘block.def 4 ‘EBM.Start 4 ;; 

let EBM. expanded * theorem ‘block.def 4 4 EBM_ expanded 4 ; ; 

loadf ‘tuple 4 ;; 

let rep.ty = abstract. type ‘aux.def 4 ‘opcode 4 ;; 
let I.rep.ty = abstract. type ‘gen.I 4 ‘Impl 4 ;; 
let Phase.state = 

M : (*wordn)list # *wordn # *vordn # *wordn # *wordn t ^memory # bool # 
bool # bool # *address # *wordn # bt7 # ucode # (num -> ucode) # 
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♦wordn # *wordn # bool # bool tt bool' 1 ;; 


let Phase_env = ":bool M ;; 
let EBM.state = Phase. state ; ; 
let EBM.env = Phase.env; ; 


x 

We might as well do this now, we’ll have to do it sooner or 
later. 

X 

X 

let phase_two_expanded = 

EXPAND.LET.RULE phase.two.def ; ; 

let phase.three. expanded * 

EXPAND.LET.RULE phase. three.def ; ; 


•/' 

x 

Define the phase level interpeter in terms of the generic 
interpreter definition. 

X 


let Phase.I.def = new. definition 
( 1 Phase.I.def * , 

11 ! (rep: ~rep_ty) (s : time->~Phase. state) (e : time->*Phase_env) . 
Phase.I rep s e = 

INTERP 

( [ONE , phase. one rep; 

TWO ,phase_two rep; 

THREE, phase.three rep] , 
triple. value , 

(GetPhaseClock : 'Phase.state -> "Phase.env -> triple), 
(PhaseLevelCycles : triple->num) , 

(I : “EBM.state-^Phase. state) , 

(I : ~EBM.env->~Phase_env) , EBM rep, 

(GetEBMClock : ' , EBM.state->'*EBM_env->bool) , 

EBM.Start, Ox: one. F) s e“ 

);; 

let PHASE.I = save.thm 
( ‘PHASE.I ‘ , 

BET A. RULE (EXPAND. LET.RULE 

(instant iate.abstract. definition ‘gen.I* * INTERP ‘ Phase.I.def))); 
let Phase.I.IMPL.IMP.DEF = new.def inition 



( * Phase_I_IMPL_IMP_DEF‘ , 

'* ! (rep: ~rep_ty) s* e*. 

Phase_I.IMPL.IMP rep s’ e’ = 

IMPL.IMP 

( [ONE ,phase_one rep; 

TWO ,phase_two rep; 

THREE, phase.three rep] , 
triple.value , 

(GetPhaseClock: ~Phase_state -> ‘Phase.env -> triple), 
(PhaseLevelCycles:triple->num) , 

(I : ~EBM_state->~Phase_state) , 

(I : ~EBM_env->~Phase_env) , EBM rep, 

(GetEBMClock: ~EBM_state~>“EBM_env->bool) , 

EBH.Start, fix : one. F) s > e ,M 

); ; 

let Phase. I _ IMPL.IMP = 
let Phase.I.EXT = 

CONV.RULE (TOP.DEPTH.CONV FUN.EQ.CONV) Phase_I_IMPL.IMP.DEF in 
(REWRITE.RULE [I.THM] (BETA.RULE (EXPAND.LET.RULE 
( inst ant iate.abstract .definition 

‘gen. I* * IMPL.IMP ‘ Phase.I.EXT))));; 


% - 

We need to establish the first theory obligation for the abstract 
theory for a generic interpreter. First, we 
will prove Phase_I.IMPL.IMP applies to each of the phases and 
then use these results to establish that Phase.I_IMPL.IMP applies 
to EVERY instruction (i.e. the first theory obligation. 




** 

7 . 

/• 

A lemma needed for rewriting 



% 


let cond3_def - new.def inition 
( ‘ cond3_def ‘ , 


M !cl c2 . cond3_def cl c2 = 

(cl => TWO I 
c2 => THREE I 
ONE) " 

);; 

let xx = prove.constructors.distinct triple;; 

let cond3_lemma = prove.thm 
( ‘condS.lemma 1 , 

"! cl c2 . ( ( (cond3_def cl c2 = TWO) ==> cl) /\ 
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( (cond3_def cl c2 = THREE) ==> c2) /\ 
((cond3_def cl c2 = ONE) ==> (*cl /\ 'c2))) M , 
REPEAT GEN.TAC THEN REWRITE.TAC [cond3_def ] THEN 


MAP.EVERY BOOL.CASES.TAC ["cl: bool"; "c2:bool"] 

THEN REWRITE.TAC [PAIR.EQ] THEN REWRITE.TAC (CONJUNCTS xx) THEN 
REWRITE.TAC 

[NOT_EQ_SYM(hd (CONJUNCTS xx)); NOT_EQ_SYM(hd(tl (CONJUNCTS xx))); 
NOT_Eq_SYM(hd(tl(tl (CONJUNCTS xx))))] 




let COND.NULL.LEMMA = TAC.PROOF 
(([], "! b (c: *). 

(b => c I c) = c") , 

REPEAT GEN.TAC 

THEN BOOL.CASES.TAC "b" 

THEN REWRITE.TAC [] 

);; 


PHASE.EBM.TAC is used to prove that the individual phases 
satisfy Phase.I.IMPL.IMP. 

let PHASE.EBM.TAC = 

PURE_ONCE.REWRITE.TAC [Phase.I.IMPL.IMP] 

THEN REPEAT GEN.TAC 
THEN BETA.TAC 

THEN REWRITE.TAC [GetPhaseClock;PhaseLevelCycles; 

GetEBMClock ; EBM.Start ;phase_one_def ; 
phase.two.def ;phase_three_def] 

THEN SUBST.TAC [EBM.expanded] 

THEN REPEAT STRIP.TAC 

THEN POP. ASSUM. LIST (\asl. (MAP.EVERY (STRIP.ASSUME.TAC o SPEC.ALL) asl)) 
THEN POP. ASSUM. LI ST (\asl. (MAP.EVERY (STRIP.ASSUME.TAC o SPEC.ALL) asl)); 

let PHASE.ONE.EBM.LEMMA = TAC.PROOF 

(([], 

" ! (rep: ~rep_ty) (regs:time->(»oordn)list) 

(mreg insreg din dout : time->*oordn) (ram:time->*memory) 

(b stop ovl : time->bool) (mar:time->*address) (res : time->* B ordn) 

(mpc : t ime->bt7 ) (mir : time->ucode) (urom:nuai->ucode) 

(rlatch mlatch: time->*oordn) (phi ph2 ph3:time - >bool) 

(reset : t ime->bool) . 

Phase.I.IMPL.IMP rep 
(\t :num. 

(regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t. 


phi t, ph2 t, ph3 t)) 

(\t:num. (reset t)) 

(ONE»phase_one rep)"), 

PHASE.EBM.TAC 

THEN POP.ASSUM (\thm. STRIP. AS SUME.TAC (HULTI.HP 

(CONJUNCTS (SPECL C"(ph2 t):bool M ; "(ph3 t) :bool"] 
(REWRITE.RULE [cond3_def] cond3_lemma))) thm)) 

THEN COND.CASES.TAC 

THEN POP_ASSUM(\thm. ASSUME.TAC (REWRITE.RULE □ thm)> 

THEN REWRITE.TAC [PAIR.EQ] 

THENL [ 

ASSUM.LIST (\asl. STRIP. ASSUME.TAC 

(REWRITE.RULE [el 1 asl] (el 13 asl))) THEN 

POP. ASSUM.LIST (\asl. (MAP.EVERY 
(CHECK .ASSUME.TAC o (REWRITE.RULE 

[(el 1 asl); (el 2 asl); (el 3 asl); (el 4 asl)])) asl)) THEN 

ASM.REWRITE.TAC [] THEN 
REWRITE.TAC [COND.NULL. LEMMA] 

ASSUM.LIST (\asl . STRIP.ASSUME.TAC 

(REWRITE.RULE [(el 1 asl); (el 2 asl); (el 3 asl)] 

(el 12 asl))) THEN 
POP. ASSUM.LIST (\asl . (MAP.EVERY 
(CHECK. ASSUME.TAC o (REWRITE.RULE 

[(el 1 asl); (el 2 asl); (el 3 asl); (el 4 asl)])) asl)) THEN 

ASM.REWRITE.TAC [] THEN 
REWRITE.TAC [COND.NULL. LEMMA] 

] 

);; 

let PHASE.TWO.EBM_ LEMMA = TAC.PROOF 

((□. 

" i (rep: "rep.ty) (regs:time->(*wordn)list) 

(mreg insreg din dout:ti»e->*eordn) (raa:time->*iiiei»ory) 

(b stop ovl : tine->bool) (mar : time->*address) (res : time->*Bordn) 
(mpc:time->bt7) (mir :tine->ucode) (urom:nujn->ucode) 

(rlatch nlatch: time->*oordn) (phi ph2 ph3:tine->bool) 

(reset : time->bool) . 

Phase. I _IMPL_ IMP rep 

(\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 

ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 

phi t, ph2 t, ph3 t)) 

(\t. (reset t)) 

(TWO.phase.teo rep)"), 

PHASE.EBM.TAC THEN 
REWRITE.TAC [PAIR.EQ] THEN 
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POP.ASSUM (\thm. STRIP_ASSUME_TAC (MULTI.MP 
(CONJUNCTS (SPECL ["(ph2 t):bool"; "(ph3 t) :bool"] 

(REWRITE.RULE [cond3_def] cond3_lemma) ) ) thm)) THEN 
ASSUM.LIST (\asl . STRIP.ASSUME.TAC 

(REWRITE.RULE [el 1 asl] (el 9 asl))) THEN 
POP.ASSUH.LIST (\asl . (MAP.EVERY 

(CHECK. ASSUME.TAC o (REWRITE.RULE 

[(el 1 asl); (el 2 asl); (el 3 asl); (el 4 asl)])) asl)) THEN 
ASM_REWRITE_TAC[] THEN 
REHRITE.TAC [COND.NULL.LEMMA] 

);; 

let PHASE.THREE.EBM.LEMMA = TAC.PROOF 

(([], 

" - (rep: "rep.ty) (regs:time->(»wordn)list) 

(®teg insreg din dout ; time~>*wordn) (ran; time - >*memory) 

(b stop ovl : t ime->bool ) (mar : time~>*address) (res : time->*wordn) 

(mpc :time->bt7) (mir : time->ucode) (urom:num->ucode) 

(rlatch mlatch: time->*vordn) (phi ph2 ph3 ; time->bool) 

(reset :time->bool) . 

Phase_I _ IMPL_ IMP rep 

(\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 

ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t , ph3 t)) 

(\t. (reset t)) 

(THREE .phase .three rep)"), 

PHASE.EBM.TAC THEN 
REHRITE.TAC [PAIR.EQ] THEN 
POP.ASSUM (\thm. STRIP.ASSUME.TAC (MULTI.MP 
(CONJUNCTS (SPECL ["(ph2 t):bool"; "(ph3 t):bool"] 

(REURITE.RULE [cond3_def] cond3_lemma))) thm)) THEN 
ASSUM.LIST (\asl . STRIP.ASSUME.TAC 

(REWRITE.RULE [el 1 asl] (el 8 asl))) THEN 
POP. ASSUM.LIST (\asl . (MAP.EVERY 
(CHECK. ASSUME.TAC o (REURITE.RULE 

[(el 1 asl); (el 2 asl); (el 3 asl); (el 4 asl)])) asl)) THEN 
ASSUM.LIST (\asl . REHRITE.TAC [SYM 

(REURITE.RULE [el 43 asl] (el 8 asl))]) THEN 
POP. ASSUM.LIST (\asl. MAP.EVERY (Vthm. 

let rat = ((fst o dest.var o rator o fst o dest.eq) 

(concl thm) ? ‘xxx‘) and 
ran = ((fst o dest.var o rand o fst o dest.eq) 

(concl thm)? ‘xxx‘) in 

if ((mem rat (words 'result')) A (mem ran (words 't'))) 
then ALL.TAC else ASSUME.TAC thm) asl) THEN 



ASM_REVRITE_TAC[] THEN 
POP.ASSUM.LIST (\asl . ALL.TAC) THEN 

BOOL.CASES.TAC M R(mir t) :bool" THEN REWRITE.TAC [] 

);; 




The first obligation of the abstract interpreter theory 




let Phase_I.EVERY_IHPL.IMP = TAC.PROOF 

(([], 

M ! (rep : “rep.t y ) (regs : t ime“>(*wordn) list ) 

(mreg insreg din dout : time->*wordn) (ram: time->*memory) 

(b stop ovl : time->bool) (mar : time->*address) (res:time->*wordn) 

(mpc : time->bt7) (mir : time“>ucode) (urom:num->ucode) 

(rlatch mlatch: time->*wordn) (phi ph2 ph3 : time->bool) 

(reset : time->bool) . 

EVERY (Phase.I_IMPL.IMP rep 

(\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 

ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t 
phi t, ph2 t, ph3 t)) 

(\t . (reset t) ) ) 

[ONE, phase. one rep; 

TWO.phase.two rep; 

THREE, phase.three rep]"), 

REWRITE.TAC [EVERY.DEF] 

THEN REPEAT STRIP.TAC 
THEN FIRST [ 

MATCH. ACCEPT.TAC PHASE.ONE.EBM. LEMMA ; 

MATCH. ACCEPT.TAC PHASE.TWO.EBM.LEMMA ; 

MATCH. ACCEPT.TAC PHASE.THREE.EBM.LEMMA 

] 

);; 


let Phase.I.EVERY.LEMMA = (SPEC.ALL 

(PURE.ONCE.REWRITE.RULE [Phase.I_IMPL_IMP.DEF] Phase.I_EVERY_IMPL.IMP)) ; 




The second obligation of the abstract interpreter theory 
7 . 

let Phase.I.LENGTH. LEMMA = TAC.PROOF 

(([], 

" j k: triple, triple.value k < (LENGTH [ONE.phase.one (rep: "rep.ty) ; 
TWO, phase. too rep; 

THREE, phase.three rep])"), 

MATCH. ACCEPT.TAC triple.LENGTH.LEMMA 

);; 
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I 

The third obligation of the abstract interpreter theory 

x 

let triple.cases - prove.cases.thm (prove. induct ion.thm triple) ; ; 

let Phase. I.KEY. LEMMA = TAC. PROOF 

(([], 

M ! k : triple . k = (FST (EL (triple.value k) [ONE ,phase_one (rep : ~rep.ty) ; 

TWO ,phase_two rep; 

THREE ,phase_three rep])) M ), 

REPEAT GEN.TAC 

THEN STRUCT.CASES.TAC (SPEC M k: triple" triple.cases) 

THEN REWRITE.TAC (CONJUNCTS triple. VALUE.LEMMA) 

THEN CONV.TAC (TOP.DEPTH.CONV num.CONV) 

THEN REWRITE.TAC [EL; FST; HD; TL] 

);; 


Get the instantiation 

y 

let theorem.list = 

instantiate. abstract .theorems 
‘gen. I ‘ 

[Phase. I.EVERY.LEMMA; 

Phase.I.LENGTH.LEMMA ; 

Phase. I .KEY. LEMMA] 

[ 

("rep: "I.rep.ty" , 

M ( [ONE, phase. one (rep : “rep.ty ) ; 

TWO,phase.two rep; 

THREE ,phase_three rep] , 

triple.value , (GetPhaseClock : "Phase. state->“Phase_env->triple) , 
PhaseLevelCycles , (I : ~EBM_state->"Phase.state) , 

(I : "EBM_env-> "Phase _env) , 

EBM rep, (GetEBMClock: "EBM_state->"EBM_env->booD , EBM.Start ) M ) ; 

("e’ : time 1 ->*env } " , 

" (\t : time . (reset t) ) : time->"EBM_env M ) ; 

("s' : time->*state * " , 

" (\t : time . (regs t, mreg t, insreg t, din t, dout t, ram t, 

b t, stop t, ovl t, mar t, re«s t, mpc t, mir t, urom, 

rlatch t, mlatch t, phi t, 

ph2 t, ph3 t)) :time->~EBM.state") ; 

] 

* PHASE ‘ ; ; 
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I 

Timeshift doesn't mean anything at this level since they share 
a clock. 



let TIME.SHIFT.DEGENERATE.LEMMA = TAC.PROOF 

«n, 

" ! (s:time->‘Phase_state) (e:time->‘Phase_env) . 

time_shift(\st env. PhaseLevelCycles (GetPhaseClock st env)) s e = I"), 
REPEAT GEN.TAC 

THEN CONV.TAC (DEPTH.CONV FUN.EQ.CONV) 

THEN INDUCT.TAC 

THEN ONCE.REWRITE.TAC [EXPAND_LET_RULE time. shift] 

THEN ASM.REWRITE.TAC [I.THM ; PhaseLevelCycles ; GetPhaseClock ; o.DEF ; ADD1] 

);; 

let correct.lemma = snd(hd theorem.list) ; ; 

X 

Rewrite the coorectness lemma into a prettier form. 



let EBM.IMPL.PHASE.LEMMA = save.thm 
(‘EBM.IMPL.PHASE.LEMMA* , 

(ONCE.REWRITE.RULE [I.o.ID] (EXPAND.LET.RULE 
(ONCE.REWRITE.RULE 

[GetEBMClock ; EBM.St art ; I _THM ; TIME.SHIFT.DEGENERATE.LEMMA] 

(BETA.RULE 

(ONCE.REWRITE.RULE [SYM.RULE Phase.I.def] correct.lemma))))) 

);; 

close. theoryO ; ; 
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Appendix I: ELECTRONIC BLOCK LEVEL 


7 . 

File: def.regs.ml 

Description: Register file definitions 

y 

set.search.path (search.pathO $ lib.dir.list) ; ; 

system Vbin/rm regs.def . th ‘ ; 

new.theory < regs_def c ;; 

map new.parent [‘aux_def‘; ‘ aux.thms ‘ ] ; ; 

X 

Define selectors for register file 

let A = new.def inition (‘A‘, M a_reg = 0 M ) ; ; 
let X * new.def inition (‘X‘,”x_reg= 1");; 
let Y = new.def inition (‘YVy.reg = 2");; 
let P = new.def inition (‘PV'P-reg = 3");; 



Define mutators for the register file 


let update. reg * new.def inition 
( ‘update.reg* , 

” ! (registers: (*wordn) list ) (n:bt3) b value, 
update.reg registers n b value * 

<((n-(F.F,F>> \/ (n*(F,F,T)) \/ (n=(F,T,F))) => 

SET_EL (bt3_val n) registers value I 
<(n=(F,T,T)) => 

SET.EL p_reg registers value | 

(( ( (n-(T , F,F) ) /\ b) \/ ((n=(T,F,T) ) /\ ~b))) => 
SET.EL p.reg registers value I 
registers) ) M 

);; 


close_theory() ; ; 



* 


File: def.block.ml 

Description: Defines the behavioral description of the electronic block 

model . 

Modified by ETS : 

The sequence control logic now recognizes the 
stop case where the pc, io space or is the target 
but, it is not valid. 

7/17 the register block now also receives the b flag value which must 
be passed to update.reg. The datapath was changed accordingly. 

the msl also receives b and control unit , ebm 

9/7 MSL stops for writeio or write with mf = (F,F) 


■7. 


set.search.path (search.pathO C lib.dir.list ) ; ; 

loadf ‘abstract*;; 

system * /bin/rm block_def . th* ; ; 

new.theory * block. def * ; ; 

map new.parent [‘regs.def*; *ucode_def‘; ‘tuple*];; 
let rep_ty = abstract.type ‘aux.def* ‘opcode*;; 

7 . 

Ground 

X 


let GND = new.def inition 
(*GND* , 

M ! out . GKD out - (out = F) M 


% 

Mux which selects one of source register selects from instn and microinstn 

X 


let MUXR.SPEC = new.def inition 
( * MUXR.SPEC* , 

" ! ctl (a:bt2) b c . 
MUXR.SPEC ctl a b c = 
c * (ctl => a | b)" 
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% 

Mux which selects one of destination register selects from instn and microinstn 

% 


let MUXD_SPEC = new_def inition 
(‘MUXD_SPEC‘, 

11 ! ctl (a:bt3) b c . 
MUXD_SPEC ctl a b c = 
c = (ctl => a I b) M 

);; 


7 . 

Mux which selects addresses of next microinstruction 

y f 


let MUXM.SPEC = new_def inition 
( * MUXM_SPEC ‘ , 

"» ctl (a:bt7) b c . 
MUXM.SPEC ctl a b c = 
c = (ctl => a I b)" 

) ; ; 


% 

Register specification - *wordn (MLATCH , RLATCH , RES) 

% 


let REG_SPEC = new_def inition 
(‘REG_SPEC‘ „ 

M J (i:time->*wordn) Id out . 

REG.SPEC i Id out « 

(! trtime . out(t+l) = Id t => i t 

I out t)" 

);; 


7 . 

Flipflop (1-bit register) (B) 

y 

let FF_SPEC = new_def inition 
(*FF_SPEC‘ , 

" ! (in: time->bool) (Id: time->bool) (q : t ime->bool) . 

FF.SPEC in Id q = 

! t:num . q(t+l) = ((Id t) => in t I q t) M 

);; 


% 

Register with enable input - *wordn (DIN, DOUT) 



let REG_EN_SPEC = new.def inition 
( ‘ REG_EN_SPEC ‘ , 

n ! set elk (in: time->*wordn) out . 

REG_EN_SPEC set elk in out = 

! t : time . out (t+1) = ((set t) /\ (elk t) ) = > in t 1 out t" 




Register with enable input - ^address (MAR) 

X 


let MAR_SPEC = new.def inition 
( ‘MAR. SPEC t , 

" ! set elk (in : time->*address) out . 

MAR.SPEC set elk in out = 

I t : time . out (t+1) * ((set t) /\ (elk t)) => in t I out t M 

);; 



PHASE CLOCK 

X 


let PHASE.CLOCK.SPEC * new.def inition 
(‘PHASE.CLOCK.SPEC 1 , 

M ! dis pi p2 p3 . 

PHASE.CLOCK.SPEC dis pi p2 p3 = 

! t : time . (dis t ==> “(pi t) /\ ~(p2 t) /\ "(p3 t)) /\ 

(pi t = “ (dis t) /\ “ (p2 t) /\ “ (p3 t)) /\ 

(p2 t * * (dis t) /\ ~(pl t) /\ “ (p3 t)) /\ 

(p3 t = “ (dis t) /\ “(pi t) /\ ~(p2 t)) /\ 

(pi (t+1) * (p3 t)) /\ 

(p2 (t+1) = (pi t)) /\ 

(p3 (t+1) = ( (p2 t) => " (dis (t+1)) I F) ) " 

7* there would be a raee here, but it can be gotten rid of 
by feeding this block with the unstrobed '‘stop” right out 
of the STOP unit. It makes NO difference at the spec level X 
);; 



STOP unit 

X 


let ST0P_SPEC = new.def inition 
(‘STOP.SPEC* , 

M ! out ini in2 strobe. 

STOP.SPEC out ini in2 strobe = 
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! t : time . out (t+1) = (strobe t) => ((ini t) \/ (in2 t)) | out t" 


% 

MPC unit 

% 


let MPC.SPEC * nee.def inition 
( ‘MPC^SPEC * , 

"! dis strobe (in: time->bt7) out. 

MPC_SPEC dis strobe in out * 

! t : time . (out (t+1) = (strobe t) => in t | 

(dis t) => (F , F, F, F, F,F,F) I 
out t) M 

);; 

l 

INSTRUCTION DECODER 

y 

let INSDEC.SPEC * nev.def inition 

(‘INSDEC.SPEC 1 , 

"! (rep: “rep.ty) (opcin: *opcode) (b enable stop reqm:bool) (opcout :bt5) . 
INSDEC_SPEC rep opcin b enable stop opcout reqm = 

(stop * (FST (decode rep (opcin, b))) /\ enable) /\ 

(opcout * FST (SND (decode rep (opcin, b)))) /\ 

(reqm - SND (SND (decode rep (opcin, b)))) n 

);; 

7 . 

MICRO-SEQUENCING LOGIC (MSL) 

y 

let MSL.SPEC = new.def init ion 
( *MSL_SPEC * , 

M ! (rep: ~rep_ty) (res:*wordn) (b ovl reqm:bool) (opc:bt5) (df seqctl:bt3) 
(mf:bt2) (me stop:bool) (aaddr jaddr:bt7). 

MSL.SPEC rep maddr seqctl res b ovl df mf reqm opc stop jaddr me * 
let easel = (seqctl = (F, F ,T) ) in 

let case2 = (seqctl = (F,T,F)) in 

let case3 = (seqctl * (F,T,T)) in 

let case4 * (seqctl - (T,F,F) ) in 

let caseS = (seqctl = (T, F ,T) ) in 

let case6 * (seqctl = (T,T,F)) in 

let case7 » (seqctl = (T,T ,T) ) in 

let bad.res = ~ (valid. address rep res) in 

let pdest = ( (df=(F,T,T) ) \/ (df=(T,F,F)) \/ (df=(T,F,T) ) ) in 

let skip = ( (df *(T ,F,F) ) /\ "‘b) \/ '( (df =(T,F,T) ) /\ b ) in 


let bad_rdest = ( (df=(T>T,F)) \/ (df-(T,T,T)) ) in 

let bad_dest = ( (df =(F ,T ,T) ) \/ (df=(T , F,F) ) \/ (df=(T,F,T>) 

\/ (df =(T ,T,F) ) \/ (df=(T ,T,T) ) ) in 

let bad_write = (((opc *(F , F,T ,T,F) ) \/ (opc = (F , F,T ,T,T) ) ) /\ 
(mf = (F,F))) in 

((stop = ((easel /\ bad.write) 

(case4 /\ ovl) 

(case5 /\ bad_res) 

(case 6 /\ (bad.rdest \/ 

(“skip /\ pdest /\ bad.res))) \/ 

(case7 /\ bad_dest))) 

/\ 

( jaddr = ((easel /\ ~bad_write /\ reqm) 

=> (bt7_ival ((bt7_val maddr )+(bt2_val mi))) I 
case2 => (bt7_ival ((bt7_val maddr) + (bt5_val opc))) I 

case 3 => maddr I 

(F,F,F,F,F,F,F))) 

/\ 

(me = ((easel /\ reqm) \/ case2 \/ case3))) M 

);; 


\/ 


\/ 


\/ 


% 

ALU 




let ALU.SPEC * new_def inition 
( 4 ALU_SPEC * , 

•M (rep: “rep ty) (r m result : *wordn) (ovl inb outb:bool) (aluctl lf:bt4). 

ALU.SPEC rep r m result ovl inb outb aluctl ff = 
let caseO = (aluctl = (F f F,F,F>) in 

let easel = (aluctl = (F,F,F,T)) in 

let case2 = (aluctl = (F,F,T,F)) in 

let case3 = (aluctl = (F,F,T»T)) in 

let case4 = (aluctl * (F»T,F,F)) in 

let caseS * (aluctl * (F,T,F,T)) in 

let case6 ■ (aluctl * (F,T,T,F) ) in 

let case7 = (aluctl = (F,T,T,T)) in 

let case8 = (aluctl * (T,F,F,F)) in 

let case9 = (aluctl - (T,F,F,T)) in 

let caselO = (aluctl = (T,F,T,F)) in 

let casell = (aluctl = (T,F,T,T)) in 

let casel2 = (aluctl = (T,T,F,F)) in 

let case!3 = (aluctl = (T ,T ,F,T) ) in 

let casel4 = (aluctl = (T,T,T,F)) in 

let caselS = (aluctl = (T,T,T,T)) in 
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let sum = (add rep (r,m)) in 

let diff = (sub rep (r,m)) in 

((outb = ( case2 => (bcmp rep (r, m, inb, ff)) | 

case4 => (addp rep (r, m, sum)) 1 
case6 => (subp rep (r, m, diff)) I 
casel3 => (bitO rep r) I 
caselS => (bitn rep r) | 
inb )) 

/\ 

(ovl = ( (case4 \/ caseS) => (aovfl rep (r, m, sum)) | 

(case6 \/ case7) => (sovfl rep (r, m, diff)) | 
casel4 => (bitn rep r) | 

F )) 

/\ 

(result = ( ( (caseO) \/ (case2)) => m I 
easel => r I 
case3 => (neg rep m) I 
(case4 \/ caseS) => sum | 

(case6 \/ case7) => diff I 

case8 => (bxor rep (r, m)) j 

case9 => (band rep (r, m)) I 

caselO => (bnor rep (r, m)) | 

easel 1 => (band rep (r, bnot rep m) ) | 

casel2 => (shr rep r) j 

case 13 => (shrb rep (r, inb)) I 

casel4 => (shl rep r) I 

(shlb rep (r, inb))))) M 

);; 


X 

Register block 

x 


let REGISTER_BLOCK = ne¥_def inition 
( ‘REGISTER.BLOCK * , 

" ! (rep: "rep.ty) (regs : time->(*wordn)list ) strobe din.en result_en din.sel 
addr_sel (mreg insreg result din r m: t ime->*¥ordn) (rsel msel : time->bt2) 
(result.sel mdf : time->bt3) (mar : time->*address) (ir : time->*opcode) dfc 
(b :time->bool) . 

REGISTER.BLOCK rep result din strobe r.sel result.sel din_en result_en 
addr_sel din_sel m_sel mar ir r m regs mreg insreg dfc mdf b = 

! t : time . 

((regs (t+1) = 

(((strobe t) /\ (result.en t)) => 

(((dfc t) /\ ((mdf t = (T,T, F) ) \/ (mdf t = (T,T,T) ) )) => 


regs t I 

( update.reg (regs t ) (result.sel t) (b t) (result t))) I 
(regs t) ) ) A 

(mreg (t+1) * 

((strobe t) *> 

( (din.en t) *> ((din.sel t) => (mreg t) -I (din t)) I 

( ( (result. en t) A (dfc t) /\ (bt3_val(result_sel t)=6)) »> 
(result t)l (mreg t))) I 

mreg t) ) A 
(insreg (t+1) = 

((strobe t) => 

( (din.en t) *> ((din.sel t) ■> (din t) I (insreg t)) I 

( ( (result .en t) /\ (dfc t) /\ (bt3_val(result_sel t)=7)> *> 
(join rep (opcode rep (insreg t), address rep (result t)))l 
(insreg t) ) ) I 
insreg t)) A 
(r t = 

(EL (bt2_val (r_sel t)) (regs t))) /\ 

(m t = 

( ( (m.sel t) = (F,F) ) => (mreg t) I 
((m.sel t) * (F,T>) => (wordn rep 1) I 
(pad rep (address rep (insreg t))))) A 
(ir t = 

(opcode rep (insreg t))) A 

(mar t * 

(addr_sel t => (address rep (insreg t)) I 
(address rep (EL p_reg (regs t) )))))" 


7 . 

Memory 

% 


let EXT.INTERFACE = new.def inition 
(‘EXT. INTERFACE* , 

H ! (rep: ~rep_ty) rd wr io strobe addr w_data r_data ram. 

EXT_ INTERFACE rep rd wr io strobe addr w.data r_data ram = 
!t:time . 

(ram (t+1) * 

(((wr t) A (strobe t)) => 

(io t => storeio rep (ram t, addr t* w_data t) I 
store rep (ram t, addr t, w_data t)) 

ram t ) ) A 
(r_data t = 

(((rd t) /\ (strobe t)) *> 


I 
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(io t => fetchio rep (ram t, addr t) | 
fetch rep (ram t, addr t)) 

(wordn rep 0) ) ) M 

/« actually 0 can be replaced by ARB. 0 is chosen for simplicity *i* 


l 

Control Unit 




let C0NTR0L.UNIT = new.def inition 
(‘C0NTR0L_UNir , 

" ! (rep: "rep.ty) (mpc : time->bt7) 

(phi ph2 ph3 stop reqm msl.stop b ovl r v io dfc de re adrs 
ds:time->bool) (rs : t ime->bt2) (rft mft:bt2) (ress mdf : time->bt3) 
(dft:bt3) (opc : t ime->bt5) (res : t ime->*wordn) (mir : time->ucode) 

(aluctl : time->bt4) (dec.ctl :time->bool) 

(urom: (time->num->ucode) ) (reset : time->bool) . 

CONTROL. UNIT rep mpc phi ph2 ph3 stop rft mft dft reqm opc msl.stop res 
b ovl mir aluctl dec.ctl r w io mdf dfc rs ress de re adrs ds 
ms urom (reset) * 

! t:time. 

? maddr seqctl jaddr me muxm_o mrf rfc. 

( (HSL.SPEC rep (maddr t) (seqctl t) (res t) (b t) (ovl t) dft mft 
(reqm t) (opc t) (msl.stop t) (jaddr t) (me t) ) 

/\ 

(PHASE.CLOCK.SPEC stop phi ph2 ph3) 

/\ 

(MUXM.SPEC (me t) (jaddr t) (bt7_ival ((bt7.val (mpc t)) + 1)) (muxm.o t)) 

/\ 

(MPC. SPEC stop ph3 mvixm.o mpc) 

/\ 

(mir (t+1) = (phi t) => urom t (bt7_val (mpc t)) | mir t) 

/\ 

(maddr t = (Maddr (mir t))) /\ 

(seqctl t - (Seqctl (mir t))) /\ 

(aluctl t * (Aluctl (mir t))) /\ 

(dec.ctl t = (Dec.ctl (mir t))) /\ 

(r t = (R (mir t))) /\ 

(w t * (W (mir t)) ) /\ 

(io t = (Io (mir t))) /\ 

(mrf t = (Mrf (mir t))) /\ 

(mdf t = (Mdf (mir t))) /\ 

(rfc t = (Rfc (mir t))) /\ 

(dfc t = (Dfc (mir t))) /\ 

(de t = (De (mir t))) /\ 
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(re t * (Re (mir t))) /\ 

(adrs t - (Adrs (mir t))) /\ 

(ds t * (Ds (mir t))) /\ 

(ms t * (Ms (mir t))) /\ 

(MUXR.SPEC (rfc t) (mrf t) (rft) (rs t)) /\ 
(KUXD.SPEC (dfc t) (mdf t) (dft) (ress t))) 


% 

Data path 




let DATAPATH = nee.def inition 
( * DATAPATH 1 , 

“i (rep: ~rep_ty) (din dout rlatch mlatch res mreg insreg: time->*wordn) 

(b ovl reqm stop msl.stop ph2 ph3 rd vr io dfc din.en result.en 
addr.sel din.sel :time->bool) 

(mar : t ime-> * address ) (opc : t ime->bt5) (regs : time->(*wordn)list) 

(r_sel a_sel:time->bt2) (rftmft:bt2) (result_sel mdf : time->bt3) 
(dft:bt3) (ram: time- >*memory) (aluctl : time->bt4) 

(dec.ctl reset : time->bool) . 

DATAPATH rep din dout b mar rlatch mlatch res ovl opc reqm stop msl.stop 
ph2 ph3 regs mreg insreg rft mft dft ram rd wr io mdf dfc aluctl 
dec.ctl r.sel result.sel din.en result.en addr.sel din.sel 
m.sel reset = 

! t : time . 

? din.i mar.i rlatch.i mlatch_i result alu.ovl alu.b ir dec.stop. 

((rft = RSF rep (insreg t)) /\ 

(aft * MSF rep (insreg t)) /\ 

(dft * DSF rep (insreg t)) /\ 

(REGISTER.BLOCK rep result din ph3 r.sel result.sel din.en result.en 
addr.sel din_sel m_sel mar.i ir rlatch_i mlatch_i regs mreg insreg 
dfc mdf b) 

/\ 

(MAR.SPEC (\t. ((rd t) \/ (vr t))) ph2 mar.i mar) 

/\ 

(REG.EN.SPEC rd ph3 din_i din) 

/\ 

(REG.EN.SPEC wr ph2 rlatch.i dout) 

A 

(EXT.INTERFACE rep rd vr io ph3 mar dout din.i ram) 

/\ 

(REG.SPEC mlatch.i ph2 mlatch) 

/\ 


(REG.SPEC rlatch. i ph2 rlatch) 


(ALU.SPEC rep (rlatch t) (mlatch t) (result t) (alu.ovl t) (b t) 

(alu.b t) (aluctl t) (FSF rep (insreg t))) 

/\ 

(REG_SPEC result ph3 res) 

/\ 

(FF.SPEC alu.ovl ph3 ovl) 

/\ 

(FF_SPEC alu_b ph3 b) 

/\ 

(INSDEC.SPEC rep (ir t) (b t) (dec.ctl t) (dec.stop t) (opc t) (reqm t)) 

A 

(STOP. SPEC stop dec.stop msl.stop ph2))" 

);; 

X 

Define State and selector functions for s : time->"EBM_state 

X 

let EBM.state = 

M : (♦wordn)list # X regs X 
(♦wordn # X mreg X 
(♦sordn # 7» insreg 7* 

(♦wordn # 7* din 7. 

(♦wordn # 7* dout 7* 

(♦memory # 7* ram 7. 

(bool # 7* b 7* 

(bool # 7* stop 7. 

(bool # X ovl X 
(♦address # X mar X 
(♦wordn # X res X 
(bt7 # X mpc X 
(ucode # X mir X 
((num -> ucode) # X urom X 
(♦wordn # X rlatch X 
(♦wordn # X mlatch X 
(bool # X phase 1 X 

(bool # bool)))))))))))))))))";; 7. phase2 , phase3 X 

let RegsS = new.def inition 
(‘RegsS* , 

n !(t:time) (s : time->~EBM_state) . 

RegsS s t = FST(s t)" 

);; 

let RegsS = TAC.PROOF 

(<[], 

M ! (t : t ime) (regs : time->(*wordn)list) 
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(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram: time->*memory) (b stop ovl phi ph2 ph3 : time->bool) 

(mar :time-> * address) (mpc : time->bt7) (mir : time ->uc ode) 
(urom:num->ucode) . 

RegsS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) * regs"), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE.ONCE_REWRITE.TAC [RegsS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let HregS - nee.def inition 
< ‘MregS ‘ , 

M !(t:time) (s : t ime-> “EBM.state) . 

MregS st* FST(SND(s t)) M 

);; 

let MregS * TAC.PR00F 

(([], 

M ! (t:time) (regs : time->(*eordn) list ) 

(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram: time->*memory) (b stop ovl phi ph2 ph3 : time->bool) 

(mar : t ime->*address) (mpc : t ime->bt7) (mir : time->ucode) 
(urom:num->ucode) . 

MregS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = mreg M ), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE.ONCE.REWRITE.TAC [MregS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let InsregS ■ nee. definition 
( 1 InsregS ‘ , 

M !(t:time) (s : time-*>~EBM.state) . 

InsregS s t = FST(SND(SND(s t))) n 

);; 

let InsregS = TAC.PROOF 

<(□, 

" ? (t:time) (regs : time->(*wordn)list ) 
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(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram: time->*memory) (b stop ovl phi ph2 ph3: time->bool) 

(mar : time ->*address) (mpc : time->bt7) (mir : time->ucode) 

(urom:num->ucode) . 

InsregS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) * insreg”) , 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE_ONCE.REWRITE.TAC [InsregS] 

THEN BETA.TAC 
THEN REWRITE.TAC □ 

);; 

let DinS * new.def init ion 
( < DinS ‘ , 

M !(t:time) (s : time->'*EBM_state) . 

DinS st* FST (SND(SND(SND (s t)))) M 

let DinS = TAC.PR00F 

((□, 

M ! (t:time) (regs : time->(*vordn) list ) 

(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram: t ime->*memory) (b stop ovl phi ph2 ph3:time->bool) 

(mar : time ->* address) (mpc : t ime->bt7) (mir : time->ucode) 

(urom:num->ucode) . 

DinS (\t . (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = din"), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE.ONCE.REWRITE.TAC [DinS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let DoutS * new.def inition 
( ‘ DoutS ‘ , 

M !(t:tiae) (s : t ime->~EBM_state) . 

DoutS st* FST (SND(SND(SND(SND(s t))))) H 

);; 

let DoutS = TAC.PROOF 

(([], 

"! (t:time) (regs : time->(*wordn)list ) 


279 


(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram : time->*memory) (b stop ovl phi ph2 ph3 : time->bool) 

(mar :time->*address) (mpc : time->bt7) (mir : time->ucode) 
(urom:num->ucode) . 

DoutS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = dout"), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN_EQ_CONV) 

THEN PURE_QNCE.REWRITE.TAC [DoutS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let RamS - new.def init ion 
( ‘ RamS < , 

M !(t:time) (s : time->“EBM_state) . 

RamS st* FST(SND(SND(SND(SND(SND(s t) >))>)" 

);; 

let RamS = TAC.PRODF 

((□, 

M ! (t:time) (regs :time->(*wordn) list) 

(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram: time ->*memory) (b stop ovl phi ph2 ph3 : time->bool) 

(mar :time->*address) (mpc : time->bt7) (mir : time->ucode) 
(urom:num->ucode) . 

RamS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t , mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = ram"), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CQNV) 

THEN PURE.ONCE_REWRITE.TAC [RamS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let BS * new.def inition 
(*BS\ 

M ! (t ; time) (s : time->‘EBM_state) . 

BS s t » FST(SND(SND(SND(SND(SND (SND(s t)))))))” 

); ; 

let BS = TAC.PR00F 

<(□, 

M ! (t : time) (regs: t ime->(*wordn) list) 
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(mreg insreg din dout res rlatch mlatch: time->*sordn) 

(ram: time->*memory) (b stop ovl phi ph2 ph3:time->bool) 

(mar : time->*address) (mpc:time->bt7) (mir : time->ucode) 
(urom:num->ucode) . 

BS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = b"), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE.ONCE.REWRITE.TAC [BS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let StopS = new.def inition 
(‘ StopS c , 

M ! (t : t ime) (s : t ime->“EBM_state) . 

StopS s t = FST( SND (SND (SND (SND (SND (SND (SND(s t)))))))) M 

);; 

let StopS = TAC.PROOF 

(<[], 

** ■ (t:time) (regs :time->(*wordn) list ) 

(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram : t ime->*memory ) (b stop ovl phi ph2 ph3: time->bool) 

(mar : t ime “>* address ) (mpc : t ime->bt7) (mir: time“>ucode) 
(urom:num->ucode) . 

StopS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, l 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t ,« mlatch t, 
phi t, ph2 t, ph3 t)) = stop' 1 ), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE.ONCE_REWRITE.TAC [StopS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let OvlS = new.def inition 
( < OvlS ‘ , 

M !(t:time) (s : t ime->~EBM_state) . 

OvlS s t = FST( SND (SND (SND (SND (SND (SND (SND (SND(s t))))))))) M 

let OvlS = TAC. PROOF 

<([], 

M ! (t : t ime ) (regs : time->(*wordn) list ) 


stop t , 


t, stop t, 
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(mreg insreg din dout res rlatch mlatch: time->*wordn) 
(ram:time->*memory) (b stop ovl phi ph2 ph3 : time->bool) 

(mar : time ->* address) (mpc : time->bt7) (mir : time->ucode) 
(urom:num->ucode) . 

OvlS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) * ovl"), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE_ONCE.REWRITE.TAC [OvlS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let MarS * new.def inition 
(‘MarS 1 , 

" ? (t : time) (s : time->~EBM_state) . 

MarS st* FST ( SND ( SND (SND (SND(SND (SND (SND (SND ( SND (s t) ))))))))) " 

); ; 

let MarS = TAC.PR00F 

<([], 

M ! (t :time) (regs :time->(*wordn)list) 

(mreg insreg din dout res rlatch mlatch: time->*wordn) 
(ram:time->*memory) (b stop ovl phi ph2 ph3 : time->bool) 

(mar : time->*address) (mpc : time->bt7) (mir : time->ucode) 
(urom:num->ucode) . 

MarS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, bt, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) - mar") , 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE.ONCE.REWRITE.TAC [MarS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

let ResS * new.def inition 
( ‘ ResS ‘ , 

” ! (t : time) (s : time->~EBM_state) . 

ResS st- FST (SND (SND (SND (SND (SND (SND (SND (SND (SND (SND(s t ))))))))))) " 

);; 

let ResS - TAC.PR00F 

(([], 

"! (t : time) (regs : time-> (*vordn) list ) 
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(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram: time->*memory) (b stop ovl phi ph2 ph3: t ime->bool) 

(mar : time->*address) (mpc : time->bt7) (mir : time->ucode) 

(urom:num->ucode) . 

ResS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = res"), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE_ONCE.REWRITE.TAC [ResS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let MpcS = new.det inition 
( ‘MpcS ‘ , 

" !(t:time) (s : t ime“>~EBM_state) . 

MpcS s t = FST(SND(SND(SND(SND(SND(SND(SND(SBD(SND(SND(SND(s t) ))))))))))) " 

);: 

let MpcS * TAC.PROOF 

«□. 

" \ (t:time) (regs : time->(*vordn)list) 

(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram : t ime->*memory) (b stop ovl phi ph2 ph3 :time->bool) 

(mar : time “>* address) (mpc: time->bt7) (mir : time->ucode) 

(urom:num->ucode) . 

MpcS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t> b t, stop t, 
ovl t» mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t , 
phi t, ph2 t, ph3 t)) = mpc") , 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE.ONCE_REWRITE.TAC [MpcS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let MirS = new.def inition 
( *MirS‘ , 

n ! (t : time) (s : time->*EBM_state) . 

MirS s t = FST(SND(SND(SND(SND(SND(SND(SND(SND(SND(SHD(SND(SND(s t) )))))))))))) " 

);; 

let MirS - TAC.PROOF 

(([], 

"! (t:time) (regs:time->(*oordn)list) 
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(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram:time->*memory) (b stop ovl phi ph2 ph3 : time->bool) 

(mar : time->*address) (mpc : time->bt7) (mir : time->ucode) 

(urom :num->ucode) . 

MirS (\t . (regs t , mreg t, insreg t, din t, dout t, ram t , b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = mir"), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP.DEPTH.CONV FUN.EQ.CONV) 

THEN PURE.ONCE.REVRITE.TAC [MirS] 

THEN BETA.TAC 
THEN REWRITE_TAC [] 

);; 

let UromS = nev.def inition 
(‘UromS* , 

M •' (t : time) (s : time->“EBM_state) . 

UromS st* FST(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(s t) )))))))))>) ))•’ 

);; 

let UromS = TAC.PROOF 

(([], 

M ! (t : time) (regs : time->(*vordn) list) 

(mreg insreg din dout res rlatch mlatch: time->*vordn) 

(ram: time->*memory) (b stop ovl phi ph2 ph3 : time->bool) 

(mar : time->*address) (mpc : time->bt7) (mir : time->ucode) 

(urom:num->ucode) . 

UromS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = (\t : time . urom)"), 

REPEAT GEN.TAC 

THEN CONV.TAC (T0P_DEPTH_C0NV FUN.EQ.CONV) 

THEN PURE.QNCE.REWRITE.TAC [UromS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

);; 

let RlatchS = nev.def inition 
( * RlatchS* , 

" ! (t : time) (s : t ime-> “EBM.state) . 

RlatchS s t = FST (SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(s t) )))>))))))) )))" 

) ; ; 

let RlatchS * TAC.PROOF 

((□, 

"! (t:time) (regs : t ime-> (*wordn) list ) 
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(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram : time->*memory) (b stop ovl phi ph2 ph3 : t ime->bool) 

(mar: t ime->*address) (mpc : t ime->bt7) (mir : time->ucode) 

(urom:num->ucode) . 

RlatchS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = rlatch" ) , 

REPEAT GEN_TAC 

THEN CONV.TAC (T0P_DEPTH_C0NV FUN.EQ.CONV) 

THEN PURE_ONCE_REWRITE_TAC [RlatchS] 

THEN BETA.TAC 
THEN REWRITE_TAC [] 

); ; 

let MlatchS - new.def inition 
( ‘MlatchS* , 

M ! (t : time) (s : time->~EBM_state) . 

MlatchS s t = FST (SND(SND(SND(SND( 

SND(SND (SND(SND(SND (SND(SND(SND(SND (SND( 

SND(s t))))))))))))>)))” 

); ; 

let MlatchS * TAC.PROOF 

(([], 

"! (t:time) (regs : time-> (*wordn) list ) 

(mreg insreg din dout res rlatch mlatch: time->*wordn) 

(ram : time->*memory) (b stop ovl phi ph2 ph3 : time->bool) 

(mar : time->*address) (mpc : t ime->bt7) (mir : time->ucode) 

(urom:num->ucode) . 

MlatchS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = mlatch"), 

REPEAT GEN.TAC 

THEN CONV.TAC (T0P_DEPTH_C0NV FUN_EQ_CONV) 

THEN PURE_QNCE_REWRITE_TAC [MlatchS] 

THEN BETA.TAC 
THEN REWRITE.TAC [] 

) ; ; 

let PhlS = nev_def init ion 
( ‘PhlS 4 , 

" ! (t : time) (s : time->~EBM_state) . 

PhlS s t = FST(SND(SND(SND(SND(SND(SND( 

SND (SND(SND(SND(SND(SND (SND( 

SND(SND(SND(s t) ))))))))) )))))))" 

);; 
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let PhlS = TAC.PROOF 

«[], 

"! (t:time) (regs : time->(*sordn) list ) 

(areg insreg din dout res rlatch mlatch: time->*vordn) 

(ram: time- >*memory) (b stop ovl phi ph2 ph3: time->bool) 

(mar : time->*address) (mpc : time->bt7) (mir : time->ucode) 
(urom:num->ucode) . 

PhlS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) = phi”), 

REPEAT GEN.TAC 

THEN CONV.TAC (TOP_DEPTH_CONV FUN_EQ_CONV) 

THEN PURE_ONCE_REVRITE_TAC [PhlS] 

THEN BETAJTAC 
THEN REWRITEJTAC [] 

);; 

let Ph2S = new.def inition 
(‘Ph2S< , 

" ! (t : time) (s : time->~EBM_state) . 
ph2S s t = FST(SND(SND(SND(SND(SND(SND( 

SND (SND(SND(SND(SND(SND( 

SND(SND(SND(SND(SND(s t )))))))))))))))))) M 

let Ph2S = TAC.PROOF 

(([], 

»* ! (t:time) (regs : time->(*wordn) list) 

(mreg insreg din dout res rlatch mlatch: time- >*wordn) 

(ram: t ime->*memory) (b stop ovl phi ph2 ph3 : time->bool) 
(mar : time->*address) (mpc : time->bt7) (mir : time->ucode) 
(urom:num->ucode) . 

Ph2S (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) * ph2"), 

REPEAT GENJTAC 

THEN CONV.TAC (TOP_DEPTH_CONV FUN.EQ.CONV) 

THEN PURE_DNCE_REWRITE_TAC [Ph2S] 

THEN BETAJTAC 
THEN REWRITE.TAC [] 

);; 

let Ph3S = nev.def inition 
(‘Ph3S< , 

”!(t:time) (s : t ime-> ~EBM_state) . 


t, stop t, 


t, stop t. 
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Ph3S st- SND(SND(SND(SND(SND(SND(SND(SND( 
SND(SND(SND(SND(SND(SND(SND(SND( 

SND(SND(s t)>))))))»))))))))» 

);; 

let Ph3S = TAC.PHOOF 

((CD • 

M ! (trtime) (regs : time->(*wordn)list) 

(mreg insreg din dout res rlatch mlatch: time“>*wordn) 

(ram: time->*memory) (b stop ovl phi ph2 ph3: time->bool) 
(mar : time->*address) (mpc : time->bt7) (mir : time->ucode) 
(urom:num->ucode) . 

Ph3S (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t, ph2 t, ph3 t)) - ph3 M ) , 

REPEAT GEN_TAC 

THEN CONV.TAC (T0P_DEPTH_C0NV FUN.EQ.CONV) 

THEN PURE_ONCE_REWRITE_TAC [Ph3S] 

THEN BETA.TAC 
THEN REWRITE.TAC □ 

);; 

let EBM.env = " :bool";; 

let ResetE = new_def inition 
( ‘ResetE* , 

"! (t:time) (e : time->~EBM_env) . 

ResetE e t = e t" 

);; 

let ResetE - TAC_PR00F 

(([], 

"! (t:time) (reset : time->bool) . 

ResetE (\t. reset t) * reset”), 

REPEAT GEN.TAC 

THEN CONV^TAC (TOP _DEPTH_CONV FUN.EQ.CONV) 

THEN PURE_ONCE_REWRITE_TAC [ResetE] 

THEN BETA.TAC 
THEN REWRITE_TAC [] 

);; 


7 . 

Define Electronic Block Model 

, x 


let EBM_def = new.def inition 
( * EBM_def 4 , 

M • (rep : ~rep_ty) (s : time->~EBM_state) (e ;t ime->.~EBM_env) . 


t , stop t , 
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EBM rep s e = 

? opc reqm msl.stop rf mf df rd wr io mdf dfc aluctl dec.ctl 
r_sel result. sel din.en result. en addr.sel din.sel m.sel. 

(DATAPATH rep (DinS s) (DoutS s) (BS s) (MarS s) (RlatchS s) 

(MlatchS s) (ResS s) (OvlS s) opc reqm (StopS s) msl.stop 

(Ph2S s) (Ph3S s) (RegsS s) (MregS s) (InsregS s) rf mf df (RamS s) 

rd wr io mdf dfc aluctl dec.ctl r.sel result. sel din.en 

result. en addr.sel din.sel m.sel (ResetE e)) /\ 

(CONTROL.UNIT rep (MpcS s) (PhlS s) (Ph2S s) (Ph3S s) (StopS s) rf mf 
df reqm opc msl.stop (ResS s) (BS s) (OvlS s) (MirS s) aluctl dec.ctl 
rd wr io mdf dfc r.sel result.sel din.en result. en addr.sel din.sel 
m.sel (UromS s) (ResetE e)) M 

);; 

let EBM = prove.thm 
( ‘ EBM‘ , 

“! (rep: ~rep_ty) (regs : time->(*wordn)list ) 

(mreg insreg din dout : time->*wordn) (ram: time->*memory) 

(b stop ovl : time->bool) (mar : time->*address) (res : time->*wordn) 

(mpc : time->bt7) (mir : t ime->ucode) (urom :num->ucode) 

(rlatch mlatch : t ime->*wordn) (phi ph2 ph3 : time->bool) 

(reset :time->bool) . 

EBM rep (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t, 
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t, 
phi t , ph2 t , ph3 t ) ) 

(\t. (reset t)) = 

? opc reqm msl.stop rf mf df rd wr io mdf dfc aluctl dec.ctl 
r.sel result.sel din.en result. en addr.sel din.sel m.sel. 

(DATAPATH rep din dout b mar rlatch mlatch res ovl opc reqm stop 
msl.stop ph2 ph3 regs mreg insreg rf mf df ram rd wr io mdf dfc 
aluctl dec.ctl r.sel result.sel din.en result.en addr.sel 
din.sel m.sel reset) /\ 

(CONTROL.UNIT rep mpc phi ph2 ph3 stop rf ‘mf df reqm 

opc msl.stop res b ovl mir aluctl dec.ctl rd wr io mdf dfc r.sel 
result.sel din.en result.en addr.sel din.sel m.sel (\t : time .urom) 
reset) M , 

REWRITE.TAC [RegsS; MregS; InsregS; DinS; DoutS; RamS; BS; StopS; 

OvlS; MarS; ResS; MpcS; MirS; UromS; RlatchS; MlatchS; 

PhlS; Ph2S ; Ph3S; ResetE; EBM.def] 

);; 


let EBM. expanded = save.thm 
( ‘ EBM.expanded 1 , 

(CONV.RULE (TOP.DEPTH.CONV BETA.CONV) 
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(REWRITE. RULE 

[DATAPATH; CONTROL.UNIT ; REGISTER.BLOCK ; 

MUXR.SPEC ; MUXD.SPEC; MUXM.SPEC; 

REG. SPEC ; FF.SPEC; REG.EN.SPEC ; 

MAR.SPEC ; PHASE.CLOCK.SPEC ; STOP.SPEC; 

MPC.SPEC ; INSDEC.SPEC ; (EXPAND_LET.RULEMSL.SPEC); 
(EXPAND. LET. RULE ALU.SPEC); EXT.INTERFACE] 

(SPEC. ALL EBM) ) ) 


7 . 

Define a function that maps EBM state to the EBM counter. 

% 


let GetEBMClock = new.def inition 
( * GetEBMClock ‘ , 

" ! (regs : (*yordn) list ) (mreg insreg din dout:*vordn) (ram : *memory) 

(b stop ovl : bool) (mar : ^address) (res:*vordn) (mpc:bt7) (mir:ucode) 
(urom: num->ucode) (rlatch mlatch: *vordn) (phi ph2 ph3:bool) (reset :bool) . 
GetEBMClock (regs, mreg, insreg, din, dout, ram, b, stop, ovl, mar, res, 
mpc, mir, urom, rlatch, mlatch, phi, ph2, ph3) (reset) = 
Cxrbool.F” 

); ; 


7 . 

Define the start state 

% 


let EBM.Start = nev.def inition 
( * EBM.Start * , 

"EBM.Start = Cxsbool.F" 


close.theoryO ; ; 




Appendix J: INSTRUCTION DECODER 


CASES FOR THE DECODER: 


1 . bcmp 
CSF 

2. sriteio 

'CSF /\ DSF = (T,T,T) 

3. writem 

'CSF /\ DSF = (T,T,F) 

4. noop 
'CSF /\ 

'(DSF = (T, T, T) \/ DSF = (T, T, F) ) /\ 
(DSF = (T, F, F) /\ 'b) 


5. noop 
'CSF /\ 

'(DSF = (T, T, T) \/ DSF = (T, T, F)) /\ 

(DSF = (T, F, T) /\ b) 

6. call 
'CSF A 

'(DSF = (T, T, T) \/ DSF = (T, T, F) ) A 

'((DSF = (T, F, T) A 'b) \/ (DSF = (T, F, F) A b)) 

FSF = (F, F, F, T) 


7. neg 
'CSF A 

'(DSF = (T, T, T) V DSF = (T, T, F) ) A 
'((DSF = (T, F, T) A *b) V (DSF = (T, F, F) A b)> 
'FSF = (F, F, F, T) A 
FSF = (F, F, F, F) 


8 . readio 
'CSF A 

'(DSF = (T, T, T) \/ DSF = (T, T, F)) /\ 

'((DSF = (T, F, T) A *b) \/ (DSF = (T, F, F) A b)) 
'FSF = (F, F, F, T) A 
FSF = (F, F, T, F) 




\k'JS"xra.tt£ , 

BLANK WOT 


: ■ :•! s* . 

HUMf 


9 . readm 


~CSF A 

*(DSF = (T, T, T) V DSF = (T, T, F)) A 

-((DSF = (T, F, T) A ~b) \/ (DSF = (T, F, F) A b)> 

'FSF = (F, F, F, T) /\ 

FSF = (F, F, T, T) 


10. addb 
'CSF A 

'(DSF = (T, T, T) \/ DSF = (T, T, F)) /\ 

*((DSF = (T, F, T) A *b) \/ (DSF = (T, F, F) A b)) 
-FSF = (F, F, F, T) A 
FSF = (F, T, F, F) 

1 1 . adds 
'CSF A 

"(DSF = (T, T, T) \/ DSF = (T, T, F)) A 
*((DSF = (T, F, T) A "b) \/ (DSF = (T, F, F) A b)) 
'FSF = (F, F, F, T) A 
FSF = (F, T, F, T) 


12 . subb 
"CSF A 

-(DSF = (T, T, T) \/ DSF = (T, T, F) ) A 
*((DSF = (T, F, T) A *b) \/ (DSF = (T, F, F) A b)) 
'FSF = (F, F, F, T) A 
FSF = (F, T, T, F) 

13. subo 
-CSF A 

‘(DSF = (T, T, T) \/ DSF = (T, T, F) ) A 
*((DSF = (T, F, T) A -b) \/ (DSF = (T, F, F) A b)) 
'FSF = (F, F, F, T) A 
FSF = (F, T, T, T) 


14. xor 
*CSF A 

-(DSF - (T, T, T) \/ DSF = (T, T, F)) A 
*((DSF = (T, F, T) A -b) V (DSF = (T, F, F) A b)) 
'FSF = (F, F, F, T) A 
FSF = (T, F, F, F) 

15. and 
*CSF A 

-(DSF = (T, T, T) \/ DSF = (T, T, F)) /\ 
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■ ( (DSF = (T, F, T) /\ -b> \/ (DSF = (T, F, F) A b)) 
*FSF = (F, F, F, T) /\ 

FSF = (T, F, F, T) 

16. nor 

'CSF A 

'(DSF = (T, T, T) \/ DSF = (T, T, F)) A 
'((DSF = (T, F, T) A *b) \/ (DSF = (T, F, F) A b)) 
'FSF = (F, F, F. T) A 
FSF = (T, F, T, F) 


17. andmbar 
'CSF A 

'(DSF = (T, T, T) \/ DSF = (T, T, F)) A 
'((DSF = (T, F, T) A "b) \/ (DSF = (T, F, F) A b)) 
'FSF = (F, F, F, T) A 
FSF = (T, F, T, T) 

18 . shr 
"CSF A 

"(DSF = (T, T, T) \/ DSF = (T, T, F)) /\ 

'((DSF = (T, F, T) /\ -b) \/ (DSF = (T, F, F) A b)) 
'FSF = (F, F, F, T) /\ 

FSF = (T, T, F, F) A (MSF = (F, F)) 

19. shrb 
‘CSF /\ 

'(DSF = (T, T, T) \/ DSF = (T, T, F)) A 
‘((DSF = (T, F, T) A *b) V (DSF = (T, F, F) /\ b)) 
'FSF = (F, F, F, T) A 
FSF = (T. T, F, F) /\ (MSF = (F, T)) 

20 . shl 
"CSF A 

"(DSF = (T, T, T) \/ DSF = (T, T, F)) A 
*((DSF = (T, F, T) A *b) \/ (DSF = (T, F, F) /\ b)) 
'FSF = (F, F, F. T) A 
FSF = (T, T, F, F) A (MSF = (T, F)) 

21 . shlb 
‘CSF A 

'(DSF = (T, T, T) \/ DSF = (T, T, F)) A 
'((DSF = (T, F, T) A ‘b) V (DSF = (T, F, F) A b)) 
‘FSF = (F, F, F, T) A 
FSF = (T, T, F, F) A (MSF = (T, T) ) 

22 . error 
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"CSF /\ 

*(DSF = (T, T, T) V DSF = (T, T, F)) /\ 

-((DSF = (T, F, T) /\ -b) V (DSF = (T. F, F) /\ b)) 
"FSF = (F, F, F, T) /\ 

FSF = (T, T, F, T) 


23. error 
'CSF /\ 

'(DSF = (T, T, T) V DSF = (T. T, F)) /\ 

'((DSF - (T, F, T) /\ -b) \/ (DSF = (T. F, F) /\ b)) 
-FSF = (F, F, F, T) /\ 

FSF = (T, T, T, F) 

24 . error 
'CSF /\ 

-(DSF = (T, T, T) V DSF = (T, T, F)) A 
-((DSF = (T, F, T) A -b) \/ (DSF = (T, F, F) A b)) 
"FSF = (F, F, F, T) A 
FSF = (T, T, T, T) 
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